4851e662cd08c5b5956c02d036308d96c6fdedff447a5d5eac8323351af60f18

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
Size

512KB
MD5

ecceb41546351e4d9090d43c5c275d17
SHA1

07bbf29f0fc664a01653fbe2b1f235489e0f6773
SHA256

4851e662cd08c5b5956c02d036308d96c6fdedff447a5d5eac8323351af60f18
SHA512

7e4c03668f9d14c76a0a12f0d5d4bc65f780d43b412c746f25472bb05ebc17cca5e70ca15e2ad8aad9b3c43c88ef4431a1c1777512340f076b7a0e37edb9ff24
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6h:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Y

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	xnspwfdyal.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xnspwfdyal.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	xnspwfdyal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	xnspwfdyal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	xnspwfdyal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	xnspwfdyal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	xnspwfdyal.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xnspwfdyal.exe

Executes dropped EXE 5 IoCs

pid	Process
2160	xnspwfdyal.exe
2728	ukrzgnoqblefkjm.exe
2824	txyesdiu.exe
2580	vizlrvavejeoz.exe
2744	txyesdiu.exe

Loads dropped DLL 5 IoCs

pid	Process
2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
2160	xnspwfdyal.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	xnspwfdyal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	xnspwfdyal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	xnspwfdyal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	xnspwfdyal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	xnspwfdyal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	xnspwfdyal.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\esvjaaki = "xnspwfdyal.exe"	ukrzgnoqblefkjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cvtdzigy = "ukrzgnoqblefkjm.exe"	ukrzgnoqblefkjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vizlrvavejeoz.exe"	ukrzgnoqblefkjm.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\q:	txyesdiu.exe
File opened (read-only)	\??\r:	txyesdiu.exe
File opened (read-only)	\??\u:	txyesdiu.exe
File opened (read-only)	\??\s:	xnspwfdyal.exe
File opened (read-only)	\??\y:	xnspwfdyal.exe
File opened (read-only)	\??\w:	txyesdiu.exe
File opened (read-only)	\??\a:	txyesdiu.exe
File opened (read-only)	\??\a:	xnspwfdyal.exe
File opened (read-only)	\??\v:	txyesdiu.exe
File opened (read-only)	\??\m:	txyesdiu.exe
File opened (read-only)	\??\p:	xnspwfdyal.exe
File opened (read-only)	\??\k:	txyesdiu.exe
File opened (read-only)	\??\r:	txyesdiu.exe
File opened (read-only)	\??\y:	txyesdiu.exe
File opened (read-only)	\??\o:	xnspwfdyal.exe
File opened (read-only)	\??\l:	txyesdiu.exe
File opened (read-only)	\??\k:	txyesdiu.exe
File opened (read-only)	\??\o:	txyesdiu.exe
File opened (read-only)	\??\x:	txyesdiu.exe
File opened (read-only)	\??\z:	txyesdiu.exe
File opened (read-only)	\??\n:	xnspwfdyal.exe
File opened (read-only)	\??\b:	txyesdiu.exe
File opened (read-only)	\??\n:	txyesdiu.exe
File opened (read-only)	\??\o:	txyesdiu.exe
File opened (read-only)	\??\p:	txyesdiu.exe
File opened (read-only)	\??\y:	txyesdiu.exe
File opened (read-only)	\??\j:	txyesdiu.exe
File opened (read-only)	\??\z:	xnspwfdyal.exe
File opened (read-only)	\??\i:	xnspwfdyal.exe
File opened (read-only)	\??\v:	xnspwfdyal.exe
File opened (read-only)	\??\g:	txyesdiu.exe
File opened (read-only)	\??\i:	txyesdiu.exe
File opened (read-only)	\??\q:	txyesdiu.exe
File opened (read-only)	\??\j:	xnspwfdyal.exe
File opened (read-only)	\??\h:	xnspwfdyal.exe
File opened (read-only)	\??\r:	xnspwfdyal.exe
File opened (read-only)	\??\h:	txyesdiu.exe
File opened (read-only)	\??\e:	xnspwfdyal.exe
File opened (read-only)	\??\l:	txyesdiu.exe
File opened (read-only)	\??\l:	xnspwfdyal.exe
File opened (read-only)	\??\u:	txyesdiu.exe
File opened (read-only)	\??\i:	txyesdiu.exe
File opened (read-only)	\??\w:	txyesdiu.exe
File opened (read-only)	\??\a:	txyesdiu.exe
File opened (read-only)	\??\s:	txyesdiu.exe
File opened (read-only)	\??\t:	txyesdiu.exe
File opened (read-only)	\??\h:	txyesdiu.exe
File opened (read-only)	\??\p:	txyesdiu.exe
File opened (read-only)	\??\v:	txyesdiu.exe
File opened (read-only)	\??\k:	xnspwfdyal.exe
File opened (read-only)	\??\w:	xnspwfdyal.exe
File opened (read-only)	\??\x:	xnspwfdyal.exe
File opened (read-only)	\??\e:	txyesdiu.exe
File opened (read-only)	\??\g:	txyesdiu.exe
File opened (read-only)	\??\e:	txyesdiu.exe
File opened (read-only)	\??\g:	xnspwfdyal.exe
File opened (read-only)	\??\q:	xnspwfdyal.exe
File opened (read-only)	\??\b:	txyesdiu.exe
File opened (read-only)	\??\t:	txyesdiu.exe
File opened (read-only)	\??\b:	xnspwfdyal.exe
File opened (read-only)	\??\t:	xnspwfdyal.exe
File opened (read-only)	\??\u:	xnspwfdyal.exe
File opened (read-only)	\??\j:	txyesdiu.exe
File opened (read-only)	\??\n:	txyesdiu.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	xnspwfdyal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	xnspwfdyal.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2252-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x00030000000178b0-5.dat	autoit_exe
behavioral1/files/0x000a000000012250-17.dat	autoit_exe
behavioral1/files/0x00160000000185f5-27.dat	autoit_exe
behavioral1/files/0x0005000000018663-35.dat	autoit_exe
behavioral1/files/0x000500000001866f-66.dat	autoit_exe
behavioral1/files/0x0007000000018671-72.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xnspwfdyal.exe	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\vizlrvavejeoz.exe	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	xnspwfdyal.exe
File created	C:\Windows\SysWOW64\xnspwfdyal.exe	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ukrzgnoqblefkjm.exe	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\txyesdiu.exe	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\txyesdiu.exe	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vizlrvavejeoz.exe	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ukrzgnoqblefkjm.exe	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	txyesdiu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	txyesdiu.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	txyesdiu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	txyesdiu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	txyesdiu.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	txyesdiu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	txyesdiu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	txyesdiu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	txyesdiu.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	txyesdiu.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	txyesdiu.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	txyesdiu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	txyesdiu.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	txyesdiu.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xnspwfdyal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ukrzgnoqblefkjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	txyesdiu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vizlrvavejeoz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	txyesdiu.exe

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	xnspwfdyal.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCFFABFFE16F293830C3B3086ED3E90B08D02F84314033FE1C542EA08A7"	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F468B6FF1D21A9D208D0D68A0B9163"	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	xnspwfdyal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	xnspwfdyal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B05B44E7399852CDBAD6329CD4B8"	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	xnspwfdyal.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322C769D5182246D4476D670222DD77D8F64AC"	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	xnspwfdyal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	xnspwfdyal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	xnspwfdyal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	xnspwfdyal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	xnspwfdyal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	xnspwfdyal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFF8E4F2A851D9041D6217D94BC92E137593667426331D69E"	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC70C14E6DABFB9CE7C92EDE037B9"	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	xnspwfdyal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	xnspwfdyal.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2840	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
2160	xnspwfdyal.exe
2160	xnspwfdyal.exe
2160	xnspwfdyal.exe
2160	xnspwfdyal.exe
2160	xnspwfdyal.exe
2824	txyesdiu.exe
2824	txyesdiu.exe
2824	txyesdiu.exe
2824	txyesdiu.exe
2728	ukrzgnoqblefkjm.exe
2728	ukrzgnoqblefkjm.exe
2728	ukrzgnoqblefkjm.exe
2728	ukrzgnoqblefkjm.exe
2728	ukrzgnoqblefkjm.exe
2580	vizlrvavejeoz.exe
2580	vizlrvavejeoz.exe
2580	vizlrvavejeoz.exe
2580	vizlrvavejeoz.exe
2580	vizlrvavejeoz.exe
2580	vizlrvavejeoz.exe
2744	txyesdiu.exe
2744	txyesdiu.exe
2744	txyesdiu.exe
2744	txyesdiu.exe
2728	ukrzgnoqblefkjm.exe
2580	vizlrvavejeoz.exe
2580	vizlrvavejeoz.exe
2728	ukrzgnoqblefkjm.exe
2728	ukrzgnoqblefkjm.exe
2580	vizlrvavejeoz.exe
2580	vizlrvavejeoz.exe
2728	ukrzgnoqblefkjm.exe
2580	vizlrvavejeoz.exe
2580	vizlrvavejeoz.exe
2728	ukrzgnoqblefkjm.exe
2580	vizlrvavejeoz.exe
2580	vizlrvavejeoz.exe
2728	ukrzgnoqblefkjm.exe
2580	vizlrvavejeoz.exe
2580	vizlrvavejeoz.exe
2728	ukrzgnoqblefkjm.exe
2580	vizlrvavejeoz.exe
2580	vizlrvavejeoz.exe
2728	ukrzgnoqblefkjm.exe
2580	vizlrvavejeoz.exe
2580	vizlrvavejeoz.exe
2728	ukrzgnoqblefkjm.exe
2580	vizlrvavejeoz.exe
2580	vizlrvavejeoz.exe
2580	vizlrvavejeoz.exe
2580	vizlrvavejeoz.exe
2728	ukrzgnoqblefkjm.exe
2580	vizlrvavejeoz.exe
2580	vizlrvavejeoz.exe
2728	ukrzgnoqblefkjm.exe
2580	vizlrvavejeoz.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2444	explorer.exe
Token: SeShutdownPrivilege	2444	explorer.exe
Token: SeShutdownPrivilege	2444	explorer.exe
Token: SeShutdownPrivilege	2444	explorer.exe
Token: SeShutdownPrivilege	2444	explorer.exe
Token: SeShutdownPrivilege	2444	explorer.exe
Token: SeShutdownPrivilege	2444	explorer.exe
Token: SeShutdownPrivilege	2444	explorer.exe
Token: SeShutdownPrivilege	2444	explorer.exe
Token: SeShutdownPrivilege	2444	explorer.exe
Token: 33	2560	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2560	AUDIODG.EXE
Token: 33	2560	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2560	AUDIODG.EXE
Token: SeShutdownPrivilege	2444	explorer.exe
Token: SeShutdownPrivilege	2444	explorer.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
2160	xnspwfdyal.exe
2160	xnspwfdyal.exe
2160	xnspwfdyal.exe
2824	txyesdiu.exe
2728	ukrzgnoqblefkjm.exe
2824	txyesdiu.exe
2824	txyesdiu.exe
2728	ukrzgnoqblefkjm.exe
2728	ukrzgnoqblefkjm.exe
2580	vizlrvavejeoz.exe
2580	vizlrvavejeoz.exe
2580	vizlrvavejeoz.exe
2744	txyesdiu.exe
2744	txyesdiu.exe
2744	txyesdiu.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
2160	xnspwfdyal.exe
2160	xnspwfdyal.exe
2160	xnspwfdyal.exe
2824	txyesdiu.exe
2728	ukrzgnoqblefkjm.exe
2824	txyesdiu.exe
2824	txyesdiu.exe
2728	ukrzgnoqblefkjm.exe
2728	ukrzgnoqblefkjm.exe
2580	vizlrvavejeoz.exe
2580	vizlrvavejeoz.exe
2580	vizlrvavejeoz.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2840	WINWORD.EXE
2840	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2160	2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe	29
PID 2252 wrote to memory of 2160	2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe	29
PID 2252 wrote to memory of 2160	2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe	29
PID 2252 wrote to memory of 2160	2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe	29
PID 2252 wrote to memory of 2728	2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2728	2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2728	2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2728	2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2824	2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2824	2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2824	2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2824	2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2580	2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe	32
PID 2252 wrote to memory of 2580	2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe	32
PID 2252 wrote to memory of 2580	2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe	32
PID 2252 wrote to memory of 2580	2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe	32
PID 2160 wrote to memory of 2744	2160	xnspwfdyal.exe	33
PID 2160 wrote to memory of 2744	2160	xnspwfdyal.exe	33
PID 2160 wrote to memory of 2744	2160	xnspwfdyal.exe	33
PID 2160 wrote to memory of 2744	2160	xnspwfdyal.exe	33
PID 2252 wrote to memory of 2840	2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe	34
PID 2252 wrote to memory of 2840	2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe	34
PID 2252 wrote to memory of 2840	2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe	34
PID 2252 wrote to memory of 2840	2252	ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe	34
PID 2840 wrote to memory of 1060	2840	WINWORD.EXE	38
PID 2840 wrote to memory of 1060	2840	WINWORD.EXE	38
PID 2840 wrote to memory of 1060	2840	WINWORD.EXE	38
PID 2840 wrote to memory of 1060	2840	WINWORD.EXE	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\xnspwfdyal.exe
  xnspwfdyal.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\txyesdiu.exe
    C:\Windows\system32\txyesdiu.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2744
- C:\Windows\SysWOW64\ukrzgnoqblefkjm.exe
  ukrzgnoqblefkjm.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2728
- C:\Windows\SysWOW64\txyesdiu.exe
  txyesdiu.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2824
- C:\Windows\SysWOW64\vizlrvavejeoz.exe
  vizlrvavejeoz.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2580
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1060

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2444

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
2a76a9fd5392c3609e2a4fe4d098785b

SHA1
65f087f29d39ddd78c58bf859dbd8845bdd7c78c

SHA256
60719898d061220c0a33ce01ceaa41b65d319bfdc90ac7bec8c797f201eeaa09

SHA512
cd6cdff384f44ce377fc9d1b3636dd4daf6d4cabce3291a3f0016fb34f87eda40cbc8f39c1db51eee76bbc9432dd7610536dff990fd3f1c32127f247d04190cb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
6e73cbfc33f37c0cd3b9c91233f91861

SHA1
976722ad45875eb8cd0e70c9b9188c0f9c36eeeb

SHA256
da0569671fab535ce49c5e0489347e9eea4c12e24e97c5cba6322297af519576

SHA512
156a1f85ed36d4191db2083fc9741944d29e35069844f1ee2cc9e7f193e8f84494a0c8dc68ee3c4f9ac73ec898fd06d84e626993149542c0bb6975dfc7559e20

Download Submit
C:\Windows\SysWOW64\ukrzgnoqblefkjm.exe

Filesize
512KB

MD5
cb8a139b75ca08484aab8d4c5129e639

SHA1
c7facfd1d7048e621e3b2d622226a64c55b46491

SHA256
e0da8c9e17fcfa299f1e04ace01f22df7b89e2fdf0fc66093b6b6dd5c8790e58

SHA512
d4c91c1a3a2494cefe8a385207ca136e0f455c72f34d8229e57a815622008350c0d73b8647a1ceb39ee062f86784a75ea0c7b7052aca6beedab6fadbb6d5b024

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\txyesdiu.exe

Filesize
512KB

MD5
13bb3e45801eeda4e72dba82e572157d

SHA1
afab1bc89046ec1bb501120dabdb107c4c5fd878

SHA256
fca74679b46064acaef65efc2b183c6eb544885429ef95fa958a302f457aec53

SHA512
29ca44b72199cecfe93d6555ccf880235d6f83b50b455587139a422758ed5307552666201d62326f686640454ce89a003c62cee05712d33be0a2de4793c0c444

Download Submit
\Windows\SysWOW64\vizlrvavejeoz.exe

Filesize
512KB

MD5
b0a1c59e156af32970f7fbfe292feb20

SHA1
c4c3f2d537576927c18e2381979300cd021cae32

SHA256
3a818d993fae50d6727adf5fffbe283ce65b057c0fd519a94d39a64f0bcebe0b

SHA512
500c9f6f3466011121099d0cf89638584b62975c33cd93e4d67410019499008bd237533a3847050e6940137df10e1fa0a2142ea7c802487750c15cafd1aa4f85

Download Submit
\Windows\SysWOW64\xnspwfdyal.exe

Filesize
512KB

MD5
29353d726e9f1ce5ad0ebac98961827e

SHA1
aaf68dfd8d013b3abc1943a4a1ebbf3d7c2e5e97

SHA256
9b5ad333c095109c058f7742c8d8a1dde29f7faf83cd078d9e173dd79a02422d

SHA512
7fd08c558ba2d9d576bdd6744b0330df293af9bd4b9d907e4a56710ae8903c641f65d8ef3e54b37c87d2ed5d30765f9354863d657dd9e74011c7f1bf7ae57ce6

Download Submit
memory/2252-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2444-79-0x0000000003960000-0x0000000003970000-memory.dmp

Filesize
64KB

Download
memory/2840-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download