Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 15:12
Static task
static1
Behavioral task
behavioral1
Sample
e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe
-
Size
512KB
-
MD5
e2d18966d4665fb34cbbccad4c87e2cc
-
SHA1
249e4de741f006cb0d755e37b587f8cf3d638745
-
SHA256
b7736ffd44d69a16213a96e771fae8d39546a2240b788971edeefe145d382268
-
SHA512
1138c643e40e8428ef177d169491b02e872c145887eb3d89a316c8e082bd0eee48cbce3b05e05b67650599790b6cc959a1f83b6fd174cb573141341e7b4aed2f
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" mtqsrgnzht.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mtqsrgnzht.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mtqsrgnzht.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mtqsrgnzht.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mtqsrgnzht.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mtqsrgnzht.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mtqsrgnzht.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mtqsrgnzht.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1848 mtqsrgnzht.exe 4172 ssikaxeilhffyvv.exe 220 bnutxamt.exe 3576 zydgtlgfhwivc.exe 1408 bnutxamt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mtqsrgnzht.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mtqsrgnzht.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mtqsrgnzht.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mtqsrgnzht.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" mtqsrgnzht.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mtqsrgnzht.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gufrvhmr = "mtqsrgnzht.exe" ssikaxeilhffyvv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opelsvuc = "ssikaxeilhffyvv.exe" ssikaxeilhffyvv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zydgtlgfhwivc.exe" ssikaxeilhffyvv.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: bnutxamt.exe File opened (read-only) \??\u: bnutxamt.exe File opened (read-only) \??\b: bnutxamt.exe File opened (read-only) \??\b: mtqsrgnzht.exe File opened (read-only) \??\j: mtqsrgnzht.exe File opened (read-only) \??\g: bnutxamt.exe File opened (read-only) \??\n: bnutxamt.exe File opened (read-only) \??\j: bnutxamt.exe File opened (read-only) \??\n: bnutxamt.exe File opened (read-only) \??\k: mtqsrgnzht.exe File opened (read-only) \??\o: mtqsrgnzht.exe File opened (read-only) \??\x: mtqsrgnzht.exe File opened (read-only) \??\l: bnutxamt.exe File opened (read-only) \??\x: bnutxamt.exe File opened (read-only) \??\n: mtqsrgnzht.exe File opened (read-only) \??\w: bnutxamt.exe File opened (read-only) \??\q: bnutxamt.exe File opened (read-only) \??\p: mtqsrgnzht.exe File opened (read-only) \??\u: mtqsrgnzht.exe File opened (read-only) \??\h: bnutxamt.exe File opened (read-only) \??\i: bnutxamt.exe File opened (read-only) \??\w: bnutxamt.exe File opened (read-only) \??\g: bnutxamt.exe File opened (read-only) \??\m: bnutxamt.exe File opened (read-only) \??\e: bnutxamt.exe File opened (read-only) \??\j: bnutxamt.exe File opened (read-only) \??\o: bnutxamt.exe File opened (read-only) \??\p: bnutxamt.exe File opened (read-only) \??\q: bnutxamt.exe File opened (read-only) \??\x: bnutxamt.exe File opened (read-only) \??\r: bnutxamt.exe File opened (read-only) \??\u: bnutxamt.exe File opened (read-only) \??\z: mtqsrgnzht.exe File opened (read-only) \??\k: bnutxamt.exe File opened (read-only) \??\v: bnutxamt.exe File opened (read-only) \??\h: mtqsrgnzht.exe File opened (read-only) \??\r: mtqsrgnzht.exe File opened (read-only) \??\a: bnutxamt.exe File opened (read-only) \??\m: bnutxamt.exe File opened (read-only) \??\s: mtqsrgnzht.exe File opened (read-only) \??\w: mtqsrgnzht.exe File opened (read-only) \??\b: bnutxamt.exe File opened (read-only) \??\s: bnutxamt.exe File opened (read-only) \??\e: bnutxamt.exe File opened (read-only) \??\h: bnutxamt.exe File opened (read-only) \??\g: mtqsrgnzht.exe File opened (read-only) \??\v: bnutxamt.exe File opened (read-only) \??\t: bnutxamt.exe File opened (read-only) \??\a: bnutxamt.exe File opened (read-only) \??\v: mtqsrgnzht.exe File opened (read-only) \??\y: mtqsrgnzht.exe File opened (read-only) \??\r: bnutxamt.exe File opened (read-only) \??\i: bnutxamt.exe File opened (read-only) \??\l: bnutxamt.exe File opened (read-only) \??\a: mtqsrgnzht.exe File opened (read-only) \??\e: mtqsrgnzht.exe File opened (read-only) \??\l: mtqsrgnzht.exe File opened (read-only) \??\t: mtqsrgnzht.exe File opened (read-only) \??\m: mtqsrgnzht.exe File opened (read-only) \??\p: bnutxamt.exe File opened (read-only) \??\t: bnutxamt.exe File opened (read-only) \??\z: bnutxamt.exe File opened (read-only) \??\i: mtqsrgnzht.exe File opened (read-only) \??\q: mtqsrgnzht.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" mtqsrgnzht.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" mtqsrgnzht.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4880-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000231ff-5.dat autoit_exe behavioral2/files/0x000a000000023198-18.dat autoit_exe behavioral2/files/0x0007000000023200-26.dat autoit_exe behavioral2/files/0x0007000000023201-32.dat autoit_exe behavioral2/files/0x0008000000016963-67.dat autoit_exe behavioral2/files/0x000500000001da14-70.dat autoit_exe behavioral2/files/0x000200000001e5b5-74.dat autoit_exe behavioral2/files/0x000200000001e715-97.dat autoit_exe behavioral2/files/0x000200000001e715-99.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bnutxamt.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bnutxamt.exe File opened for modification C:\Windows\SysWOW64\ssikaxeilhffyvv.exe e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe File created C:\Windows\SysWOW64\bnutxamt.exe e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zydgtlgfhwivc.exe e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll mtqsrgnzht.exe File created C:\Windows\SysWOW64\zydgtlgfhwivc.exe e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bnutxamt.exe File created C:\Windows\SysWOW64\mtqsrgnzht.exe e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mtqsrgnzht.exe e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe File created C:\Windows\SysWOW64\ssikaxeilhffyvv.exe e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bnutxamt.exe e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bnutxamt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bnutxamt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bnutxamt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bnutxamt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bnutxamt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bnutxamt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bnutxamt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bnutxamt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bnutxamt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bnutxamt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bnutxamt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bnutxamt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bnutxamt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bnutxamt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bnutxamt.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bnutxamt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bnutxamt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bnutxamt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bnutxamt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bnutxamt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bnutxamt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bnutxamt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bnutxamt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bnutxamt.exe File opened for modification C:\Windows\mydoc.rtf e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bnutxamt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bnutxamt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bnutxamt.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bnutxamt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bnutxamt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bnutxamt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bnutxamt.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2D7C9D5782256D3E76D770512DAD7D8665DD" e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat mtqsrgnzht.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" mtqsrgnzht.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" mtqsrgnzht.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" mtqsrgnzht.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F668B0FE1D22DAD109D0A68A749013" e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC70E15E7DAB7B9BE7FE2ECE234CA" e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" mtqsrgnzht.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh mtqsrgnzht.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc mtqsrgnzht.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B15D4492389F52BDBAD33298D4BB" e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFC8E485F856F903CD72B7D92BD92E1435840674E6241D7EE" e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg mtqsrgnzht.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDF9CEF964F192830E3A32869E3998B0FA02FC4315033FE2BE45E609D3" e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf mtqsrgnzht.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs mtqsrgnzht.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" mtqsrgnzht.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" mtqsrgnzht.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2888 WINWORD.EXE 2888 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 1848 mtqsrgnzht.exe 1848 mtqsrgnzht.exe 1848 mtqsrgnzht.exe 1848 mtqsrgnzht.exe 1848 mtqsrgnzht.exe 1848 mtqsrgnzht.exe 1848 mtqsrgnzht.exe 1848 mtqsrgnzht.exe 1848 mtqsrgnzht.exe 1848 mtqsrgnzht.exe 4172 ssikaxeilhffyvv.exe 4172 ssikaxeilhffyvv.exe 4172 ssikaxeilhffyvv.exe 4172 ssikaxeilhffyvv.exe 4172 ssikaxeilhffyvv.exe 4172 ssikaxeilhffyvv.exe 4172 ssikaxeilhffyvv.exe 4172 ssikaxeilhffyvv.exe 4172 ssikaxeilhffyvv.exe 4172 ssikaxeilhffyvv.exe 220 bnutxamt.exe 220 bnutxamt.exe 220 bnutxamt.exe 220 bnutxamt.exe 220 bnutxamt.exe 220 bnutxamt.exe 220 bnutxamt.exe 220 bnutxamt.exe 3576 zydgtlgfhwivc.exe 3576 zydgtlgfhwivc.exe 3576 zydgtlgfhwivc.exe 3576 zydgtlgfhwivc.exe 3576 zydgtlgfhwivc.exe 3576 zydgtlgfhwivc.exe 3576 zydgtlgfhwivc.exe 3576 zydgtlgfhwivc.exe 3576 zydgtlgfhwivc.exe 3576 zydgtlgfhwivc.exe 3576 zydgtlgfhwivc.exe 3576 zydgtlgfhwivc.exe 4172 ssikaxeilhffyvv.exe 4172 ssikaxeilhffyvv.exe 1408 bnutxamt.exe 1408 bnutxamt.exe 1408 bnutxamt.exe 1408 bnutxamt.exe 1408 bnutxamt.exe 1408 bnutxamt.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 1848 mtqsrgnzht.exe 1848 mtqsrgnzht.exe 1848 mtqsrgnzht.exe 4172 ssikaxeilhffyvv.exe 4172 ssikaxeilhffyvv.exe 4172 ssikaxeilhffyvv.exe 220 bnutxamt.exe 220 bnutxamt.exe 220 bnutxamt.exe 3576 zydgtlgfhwivc.exe 3576 zydgtlgfhwivc.exe 3576 zydgtlgfhwivc.exe 1408 bnutxamt.exe 1408 bnutxamt.exe 1408 bnutxamt.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 1848 mtqsrgnzht.exe 1848 mtqsrgnzht.exe 1848 mtqsrgnzht.exe 4172 ssikaxeilhffyvv.exe 4172 ssikaxeilhffyvv.exe 4172 ssikaxeilhffyvv.exe 220 bnutxamt.exe 220 bnutxamt.exe 220 bnutxamt.exe 3576 zydgtlgfhwivc.exe 3576 zydgtlgfhwivc.exe 3576 zydgtlgfhwivc.exe 1408 bnutxamt.exe 1408 bnutxamt.exe 1408 bnutxamt.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2888 WINWORD.EXE 2888 WINWORD.EXE 2888 WINWORD.EXE 2888 WINWORD.EXE 2888 WINWORD.EXE 2888 WINWORD.EXE 2888 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4880 wrote to memory of 1848 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 88 PID 4880 wrote to memory of 1848 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 88 PID 4880 wrote to memory of 1848 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 88 PID 4880 wrote to memory of 4172 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 89 PID 4880 wrote to memory of 4172 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 89 PID 4880 wrote to memory of 4172 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 89 PID 4880 wrote to memory of 220 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 90 PID 4880 wrote to memory of 220 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 90 PID 4880 wrote to memory of 220 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 90 PID 4880 wrote to memory of 3576 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 91 PID 4880 wrote to memory of 3576 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 91 PID 4880 wrote to memory of 3576 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 91 PID 4880 wrote to memory of 2888 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 92 PID 4880 wrote to memory of 2888 4880 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 92 PID 1848 wrote to memory of 1408 1848 mtqsrgnzht.exe 94 PID 1848 wrote to memory of 1408 1848 mtqsrgnzht.exe 94 PID 1848 wrote to memory of 1408 1848 mtqsrgnzht.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\mtqsrgnzht.exemtqsrgnzht.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\bnutxamt.exeC:\Windows\system32\bnutxamt.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1408
-
-
-
C:\Windows\SysWOW64\ssikaxeilhffyvv.exessikaxeilhffyvv.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4172
-
-
C:\Windows\SysWOW64\bnutxamt.exebnutxamt.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:220
-
-
C:\Windows\SysWOW64\zydgtlgfhwivc.exezydgtlgfhwivc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3576
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2888
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5a191a5a92759fca019302b4580f2fe78
SHA121af26007348a6f508d7f941d0dabf3f3c8207b3
SHA2562d10db635d40c1478b9314b731111611feff59b033f6364b12b5ef042ad3644d
SHA5123e9dc77c0e6e888d0e1c523be80c31daeb360daf97beedad422cccb004b93aed9f5efdb176b9cf27abdec95e31ca66c625c43af4d18a20794a33c9d26625d217
-
Filesize
512KB
MD55ed0043db2102395f69cf705926bd134
SHA1aec4692c5b951f7aac0f93c972645078058adcde
SHA25689c9aab69d70c5c7f3360bcb750c74df3bd9be3a120990e5e81715f6a2c7364a
SHA5120ed2af6b628fc72c83db7c2610223a82985c2e3e59f1cd1075d33ee122be658742a0478a274248db101fc0a40686cad89dc6c482017a8b05cff2270480f0767e
-
Filesize
239B
MD5c7667c3371d5d84c2c3d9801baa3dc0f
SHA125838b0056cd399422f492754b6437a95f318e52
SHA2565596446f922d237efed146d488ec6e529f0d66a064960eeb6013773cfa45ab9d
SHA5127e42fc3aad97260c7973eb4adb8dca390a207f2f8dee0c45f74e7e91441d9f548aa8ae03f7f6109e772bc67a8e6124e74bc37a0496120a0200f58d9e96451a09
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a480a3b75acc3359bd3eef8188685e3c
SHA1892e16fcec2b3fa743f093ad0c0c57eada7d0272
SHA25642b142026408aef460ec0aaa4842774556bbd3aae3d98c734de52e474c024933
SHA512580b489db3fbfd199715881fb911e1c8b467ed8177271e70c95d2d52c52d2a064ab4fd53ce9882f227cff141e9b8b80a914e59a993476facb5a970075b854fc0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5863f957b397e04bcb93109ae3e7cc00c
SHA1a160591e41f0c7fbbeb41a48cf335ed35d305ed6
SHA25675841d48da974107f03ef00ba8a16c15ecceddd3c1dee2f878cbf8921e7547e8
SHA512cba44acd569c0cb3d74f720f8509e798274c9fb387ec16bf331ce53e7c95b41ca4b116a674d7e5d59705eac7cde18d26546efd52ae20e83693a9f04939bab155
-
Filesize
512KB
MD5c3d70021834a19c1b8fc231549125fee
SHA199ebc8ed8b5c2b8a08077d7ab9408f872a83e684
SHA2568224787d93da6f3c087ee68ef4ce409aaf411af8cf72bf4d6392d074448e1fed
SHA512abffa7b2187915f43f78c1534db48fc2f114b0af05f6b0e06dbf4bfcab68075b88aed3ddefc967da466d31a801986b580b675b352271a802158dc6caab1f8932
-
Filesize
512KB
MD51af9a4f1f70648b5cd42a26bbf3e5535
SHA1897dd8ee97135fcc331a892ffd04a3c4017df8d2
SHA25624fc683b889485e71d9a75b6729dae27780c9a447ee98f4fa30070f7f63aaa23
SHA5125d84495f23f638d713204e951ecbeb44c2b415046fd9275c1b8d4d8c1dcfd80d4409561d98078ea9bd8f354c686bb450b938e5fcd3040b3d425be118ba77496f
-
Filesize
512KB
MD5ef0ff8da8178896373a6d33bda155e56
SHA1c4efec58bfb390782d4861a2279bb97360bc2d0d
SHA256322e899b375d92df125b77faca2cdcfdbff348505a3f0160e006532b4863e691
SHA512e2bba970fb515491caf7b816be51bdd97c74a62178f319f5e6cdd8409bb0a8f7a1e23eed355c30ce8e1a98e9a379d7598c6cb144cf0e8828d2848b35e582706e
-
Filesize
512KB
MD530432e8c56832c20cadc16e7ce510a57
SHA1fa01c173b6371958b4e36a4e1b528a7e31b53dcc
SHA2568228b64c218f623bbf97fa3639320964dea9c201ebe43989d55ca4ca73b2da1a
SHA512fefdfff67713dbeb77ca5dd62fc5340ff55869fa66b4a0dc4a0bd6e3b7dfe4c3e5fedc3466fe05552cacde3f677b7a92a5d61ae1564e3da3f3e2cf2496397823
-
Filesize
512KB
MD50de48a9899940dc5c9a1d45528169c93
SHA1d5191af96f760bd505636b482ed2a0b6e08ef4fe
SHA256e69eb96a2e9f26ca55801d2c95573f8a7b5e65e5c4d25edd83a2140278f28f44
SHA512ce7f5b2fe8403650e0eb9be68e7cfdbea7d123732818c2c44f294302e52c68aca87c443ff5d511820e85378c5bd6ac69c9860ba43a48ce34d33dfb5d90dca00b
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5f1ec67d98980f2f21c5cee9ce4444c31
SHA1a1a2e55bda352c1c4c33640637c810f2d8e0705d
SHA2561128af3f24733f419575b0982aa04ccd8d3b19b0d997e073800c35bb3413eb11
SHA512c1083c0225cb9f024e7b423244e8281cc5621eefc3f57c17b806e15fbc186192ba037dd4df3ea49a312fbaafbd4e1c212a51ab363a4f731babdd24177bd213e9
-
Filesize
512KB
MD5e274e939692ff87c3a3f705561eb03fd
SHA1684ee1e2fbb67dd4bf59b4db84a4ce197290c76b
SHA256b22795f37c7e1b46f47bb5b0429b1d17e86613cf74838c0bc30a759ca05dfa5f
SHA512a679cdf9b89fa2eae6561fbc07ac8f6a04e0be8f15c1094ecddf7ab53ee0ac5e6481d1daa2119ddb7fac6bda99f625c9fcef7406183c2f9b39ce748a46ebc89e