46a1fa80fa54b56180d9dc8f4dfc144a0510089fec0d500d609ff1798cbd3287

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
Size

512KB
MD5

eac2712819daf5338c34a426fbfd5e44
SHA1

0bff35d5cb2441a0a8eb3203e46a5804a187781c
SHA256

46a1fa80fa54b56180d9dc8f4dfc144a0510089fec0d500d609ff1798cbd3287
SHA512

43773a04ad780d297442fe81b3d154baa9aa86c0d06a42e5aea08cd02717b03e59bbe96cc16128b83d00065d96122287f20c9d8c0208b0e8c4cd113f87b03d33
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6M:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5x

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	evptmmyhow.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	evptmmyhow.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	evptmmyhow.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	evptmmyhow.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	evptmmyhow.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	evptmmyhow.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	evptmmyhow.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	evptmmyhow.exe

Executes dropped EXE 5 IoCs

pid	Process
2764	evptmmyhow.exe
2528	oxnkhkjvkfvcfez.exe
2700	trponssq.exe
2696	gtdeheizsyxlo.exe
2572	trponssq.exe

Loads dropped DLL 5 IoCs

pid	Process
1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
2764	evptmmyhow.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	evptmmyhow.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	evptmmyhow.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	evptmmyhow.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	evptmmyhow.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	evptmmyhow.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	evptmmyhow.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "gtdeheizsyxlo.exe"	oxnkhkjvkfvcfez.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\esekhcrp = "evptmmyhow.exe"	oxnkhkjvkfvcfez.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lujmwlrl = "oxnkhkjvkfvcfez.exe"	oxnkhkjvkfvcfez.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\a:	trponssq.exe
File opened (read-only)	\??\r:	trponssq.exe
File opened (read-only)	\??\u:	trponssq.exe
File opened (read-only)	\??\a:	trponssq.exe
File opened (read-only)	\??\g:	trponssq.exe
File opened (read-only)	\??\v:	trponssq.exe
File opened (read-only)	\??\z:	trponssq.exe
File opened (read-only)	\??\x:	evptmmyhow.exe
File opened (read-only)	\??\i:	trponssq.exe
File opened (read-only)	\??\s:	trponssq.exe
File opened (read-only)	\??\a:	evptmmyhow.exe
File opened (read-only)	\??\t:	trponssq.exe
File opened (read-only)	\??\r:	evptmmyhow.exe
File opened (read-only)	\??\u:	evptmmyhow.exe
File opened (read-only)	\??\e:	trponssq.exe
File opened (read-only)	\??\x:	trponssq.exe
File opened (read-only)	\??\h:	trponssq.exe
File opened (read-only)	\??\o:	trponssq.exe
File opened (read-only)	\??\q:	evptmmyhow.exe
File opened (read-only)	\??\j:	evptmmyhow.exe
File opened (read-only)	\??\b:	trponssq.exe
File opened (read-only)	\??\u:	trponssq.exe
File opened (read-only)	\??\b:	trponssq.exe
File opened (read-only)	\??\q:	trponssq.exe
File opened (read-only)	\??\h:	evptmmyhow.exe
File opened (read-only)	\??\k:	evptmmyhow.exe
File opened (read-only)	\??\w:	evptmmyhow.exe
File opened (read-only)	\??\z:	evptmmyhow.exe
File opened (read-only)	\??\j:	trponssq.exe
File opened (read-only)	\??\i:	trponssq.exe
File opened (read-only)	\??\j:	trponssq.exe
File opened (read-only)	\??\p:	trponssq.exe
File opened (read-only)	\??\m:	evptmmyhow.exe
File opened (read-only)	\??\k:	trponssq.exe
File opened (read-only)	\??\x:	trponssq.exe
File opened (read-only)	\??\g:	evptmmyhow.exe
File opened (read-only)	\??\v:	evptmmyhow.exe
File opened (read-only)	\??\n:	trponssq.exe
File opened (read-only)	\??\o:	trponssq.exe
File opened (read-only)	\??\q:	trponssq.exe
File opened (read-only)	\??\e:	trponssq.exe
File opened (read-only)	\??\s:	trponssq.exe
File opened (read-only)	\??\y:	trponssq.exe
File opened (read-only)	\??\e:	evptmmyhow.exe
File opened (read-only)	\??\y:	trponssq.exe
File opened (read-only)	\??\i:	evptmmyhow.exe
File opened (read-only)	\??\s:	evptmmyhow.exe
File opened (read-only)	\??\h:	trponssq.exe
File opened (read-only)	\??\l:	evptmmyhow.exe
File opened (read-only)	\??\o:	evptmmyhow.exe
File opened (read-only)	\??\p:	evptmmyhow.exe
File opened (read-only)	\??\g:	trponssq.exe
File opened (read-only)	\??\k:	trponssq.exe
File opened (read-only)	\??\v:	trponssq.exe
File opened (read-only)	\??\w:	trponssq.exe
File opened (read-only)	\??\b:	evptmmyhow.exe
File opened (read-only)	\??\t:	evptmmyhow.exe
File opened (read-only)	\??\y:	evptmmyhow.exe
File opened (read-only)	\??\w:	trponssq.exe
File opened (read-only)	\??\l:	trponssq.exe
File opened (read-only)	\??\m:	trponssq.exe
File opened (read-only)	\??\p:	trponssq.exe
File opened (read-only)	\??\r:	trponssq.exe
File opened (read-only)	\??\t:	trponssq.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	evptmmyhow.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	evptmmyhow.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1964-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x00070000000186f2-9.dat	autoit_exe
behavioral1/files/0x00080000000120f9-17.dat	autoit_exe
behavioral1/files/0x000700000001868b-22.dat	autoit_exe
behavioral1/files/0x0007000000018731-34.dat	autoit_exe
behavioral1/files/0x0002000000003d27-67.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gtdeheizsyxlo.exe	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\oxnkhkjvkfvcfez.exe	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\trponssq.exe	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\trponssq.exe	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\gtdeheizsyxlo.exe	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	evptmmyhow.exe
File created	C:\Windows\SysWOW64\evptmmyhow.exe	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\evptmmyhow.exe	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\oxnkhkjvkfvcfez.exe	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	trponssq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	trponssq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	trponssq.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	trponssq.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	trponssq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	trponssq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	trponssq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	trponssq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	trponssq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	trponssq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	trponssq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	trponssq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	trponssq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	trponssq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	trponssq.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evptmmyhow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oxnkhkjvkfvcfez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trponssq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gtdeheizsyxlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trponssq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184CC7741591DAB6B9BA7CE8ECE734BE"	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	evptmmyhow.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	evptmmyhow.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	evptmmyhow.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	evptmmyhow.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	evptmmyhow.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B02844EE39ED53BFB9D133EFD4BC"	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	evptmmyhow.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	evptmmyhow.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	evptmmyhow.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33462D7E9D5082206A3176DD772F2CD67D8165DE"	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8FFC83485F856D9130D75B7D9CBCE7E6315837664F6332D79B"	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F468B6FE1821AAD278D0D48B7B906A"	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	evptmmyhow.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	evptmmyhow.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAF9BCF963F19283783B4A86EA3E97B0FB028B4215033AE1C8429E09A0"	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	evptmmyhow.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	evptmmyhow.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2320	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
2764	evptmmyhow.exe
2764	evptmmyhow.exe
2764	evptmmyhow.exe
2764	evptmmyhow.exe
2764	evptmmyhow.exe
2528	oxnkhkjvkfvcfez.exe
2528	oxnkhkjvkfvcfez.exe
2528	oxnkhkjvkfvcfez.exe
2528	oxnkhkjvkfvcfez.exe
2528	oxnkhkjvkfvcfez.exe
2700	trponssq.exe
2700	trponssq.exe
2700	trponssq.exe
2700	trponssq.exe
2696	gtdeheizsyxlo.exe
2696	gtdeheizsyxlo.exe
2696	gtdeheizsyxlo.exe
2696	gtdeheizsyxlo.exe
2696	gtdeheizsyxlo.exe
2696	gtdeheizsyxlo.exe
2572	trponssq.exe
2572	trponssq.exe
2572	trponssq.exe
2572	trponssq.exe
2528	oxnkhkjvkfvcfez.exe
2696	gtdeheizsyxlo.exe
2696	gtdeheizsyxlo.exe
2528	oxnkhkjvkfvcfez.exe
2528	oxnkhkjvkfvcfez.exe
2696	gtdeheizsyxlo.exe
2696	gtdeheizsyxlo.exe
2528	oxnkhkjvkfvcfez.exe
2696	gtdeheizsyxlo.exe
2696	gtdeheizsyxlo.exe
2528	oxnkhkjvkfvcfez.exe
2696	gtdeheizsyxlo.exe
2696	gtdeheizsyxlo.exe
2528	oxnkhkjvkfvcfez.exe
2696	gtdeheizsyxlo.exe
2696	gtdeheizsyxlo.exe
2528	oxnkhkjvkfvcfez.exe
2696	gtdeheizsyxlo.exe
2696	gtdeheizsyxlo.exe
2528	oxnkhkjvkfvcfez.exe
2696	gtdeheizsyxlo.exe
2696	gtdeheizsyxlo.exe
2528	oxnkhkjvkfvcfez.exe
2696	gtdeheizsyxlo.exe
2696	gtdeheizsyxlo.exe
2528	oxnkhkjvkfvcfez.exe
2696	gtdeheizsyxlo.exe
2696	gtdeheizsyxlo.exe
2528	oxnkhkjvkfvcfez.exe
2696	gtdeheizsyxlo.exe
2696	gtdeheizsyxlo.exe
2528	oxnkhkjvkfvcfez.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2592	explorer.exe
Token: SeShutdownPrivilege	2592	explorer.exe
Token: SeShutdownPrivilege	2592	explorer.exe
Token: SeShutdownPrivilege	2592	explorer.exe
Token: SeShutdownPrivilege	2592	explorer.exe
Token: SeShutdownPrivilege	2592	explorer.exe
Token: SeShutdownPrivilege	2592	explorer.exe
Token: SeShutdownPrivilege	2592	explorer.exe
Token: SeShutdownPrivilege	2592	explorer.exe
Token: SeShutdownPrivilege	2592	explorer.exe
Token: SeShutdownPrivilege	2592	explorer.exe
Token: SeShutdownPrivilege	2592	explorer.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
2764	evptmmyhow.exe
2528	oxnkhkjvkfvcfez.exe
2528	oxnkhkjvkfvcfez.exe
2528	oxnkhkjvkfvcfez.exe
2764	evptmmyhow.exe
2764	evptmmyhow.exe
2700	trponssq.exe
2700	trponssq.exe
2700	trponssq.exe
2696	gtdeheizsyxlo.exe
2696	gtdeheizsyxlo.exe
2696	gtdeheizsyxlo.exe
2572	trponssq.exe
2572	trponssq.exe
2572	trponssq.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
2764	evptmmyhow.exe
2528	oxnkhkjvkfvcfez.exe
2528	oxnkhkjvkfvcfez.exe
2528	oxnkhkjvkfvcfez.exe
2764	evptmmyhow.exe
2764	evptmmyhow.exe
2700	trponssq.exe
2700	trponssq.exe
2700	trponssq.exe
2696	gtdeheizsyxlo.exe
2696	gtdeheizsyxlo.exe
2696	gtdeheizsyxlo.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2320	WINWORD.EXE
2320	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2764	1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2764	1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2764	1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2764	1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2528	1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe	31
PID 1964 wrote to memory of 2528	1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe	31
PID 1964 wrote to memory of 2528	1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe	31
PID 1964 wrote to memory of 2528	1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe	31
PID 1964 wrote to memory of 2700	1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2700	1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2700	1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2700	1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2696	1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe	33
PID 1964 wrote to memory of 2696	1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe	33
PID 1964 wrote to memory of 2696	1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe	33
PID 1964 wrote to memory of 2696	1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe	33
PID 2764 wrote to memory of 2572	2764	evptmmyhow.exe	34
PID 2764 wrote to memory of 2572	2764	evptmmyhow.exe	34
PID 2764 wrote to memory of 2572	2764	evptmmyhow.exe	34
PID 2764 wrote to memory of 2572	2764	evptmmyhow.exe	34
PID 1964 wrote to memory of 2320	1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe	35
PID 1964 wrote to memory of 2320	1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe	35
PID 1964 wrote to memory of 2320	1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe	35
PID 1964 wrote to memory of 2320	1964	eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe	35
PID 2320 wrote to memory of 772	2320	WINWORD.EXE	38
PID 2320 wrote to memory of 772	2320	WINWORD.EXE	38
PID 2320 wrote to memory of 772	2320	WINWORD.EXE	38
PID 2320 wrote to memory of 772	2320	WINWORD.EXE	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\evptmmyhow.exe
  evptmmyhow.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\trponssq.exe
    C:\Windows\system32\trponssq.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2572
- C:\Windows\SysWOW64\oxnkhkjvkfvcfez.exe
  oxnkhkjvkfvcfez.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2528
- C:\Windows\SysWOW64\trponssq.exe
  trponssq.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2700
- C:\Windows\SysWOW64\gtdeheizsyxlo.exe
  gtdeheizsyxlo.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2696
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:772

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
2a66777f51e1af26bd353aa7563e165a

SHA1
287323bb4f0c71ce49ed4ef080f7102760a8df18

SHA256
8f8c8b6af0b4380dc06ca9798d586eac7087f6899372816c169ed736faa9d83f

SHA512
f1e47c1588f277b3550b8600bd3241e1a3d00b4a55b2d91f276c2a2859a4bd7f179259ee75474c72fc5abb0613bb7c33e1ff63b3c9cb9eacfe01dba0b3ab4485

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
401B

MD5
8359f47a1a3f6edf5c916c5b05f794ba

SHA1
8a7ba5fcef42b63b4c792b48e26f2e733308cace

SHA256
e9c318f37bce7d90551bc464260ce2363c356be3aaf4abf52b1c1ba2a7a3a2cf

SHA512
831dfd8a0defb522c92d33464649d2f5dfccd8b4a271c5533d280323fb4c870b70c4733b1d241a39aad7064ab5234cfd5ef4bafbb8e790a740176966c452c85b

Download Submit
C:\Windows\SysWOW64\trponssq.exe

Filesize
512KB

MD5
43b81f0b7c47ad6e176e36d820435eb1

SHA1
83f9b8f330b905c204330e103e56f3b57fdadf56

SHA256
cbe11b108779f38c6e6ad30f0be97210c05dee51e33d127ddb3b741cf1338650

SHA512
923d252b2876cc0369e1b73289396e69d59699f9f19ada26e5c9257619349b43345ba7ada7036de63fa96f8a5267829c28998b21ced5768e6f5cb3d1af2f1ee3

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\evptmmyhow.exe

Filesize
512KB

MD5
4fe063421548dc660dbf5e1f02516d87

SHA1
b4d2c1f90a4a08e99013439b91525ef73c0c01d2

SHA256
4f735dc6ea28c3260130bbdf2f038d62cad0b21be0227186c122ff8e79651e67

SHA512
36e5b1b71a8e1460121bd71727a867160219b40f05b37728ebc1d1f7d878236fa83934536cb3f57e250ed698e51935b94354d0feb626d00cb76b5f3fb16bdb12

Download Submit
\Windows\SysWOW64\gtdeheizsyxlo.exe

Filesize
512KB

MD5
5f5e37fd3e75418329203dffe5811454

SHA1
24613c586be5c58c5a8f1d01d55bd7599d016ee3

SHA256
b693145c6a936d4262c3f4a4f060e98dd86c2c34912955c93d6ca156a5407aae

SHA512
a4173d28f3e9dce465b20ce2542d6a500681cbf6eab69d9cb4ccc7ad8da708cb8e5ed254abf71cff11afe6610b9f88999a18d62dac91a9b7c6662a09eebc81c2

Download Submit
\Windows\SysWOW64\oxnkhkjvkfvcfez.exe

Filesize
512KB

MD5
90d9ddee01610e5d00c6bc9c3c8bb4c7

SHA1
14b06fcb7ebcf5502703e9b42fede8909f7d3e65

SHA256
e213056283269b1723a529239a3e23a18c0bb50eb0c9a627d89a8a7cd35e10d5

SHA512
1af6b6f85843f18221ecdcf035b628741726235a047453d20abe751e30baea0cdc2855c9f9d80b64b30638d3defb9442ba2a851caf579b5b39b2c27759383d14

Download Submit
memory/1964-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2320-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2592-82-0x0000000003C50000-0x0000000003C60000-memory.dmp

Filesize
64KB

Download