Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 05:16
Static task
static1
Behavioral task
behavioral1
Sample
e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe
-
Size
512KB
-
MD5
e94e7933300cd60bc3f011dd41a72632
-
SHA1
1f4d08415db105328491b185bb0c5dcdfaeba684
-
SHA256
b48ea3a507988bed8643928598a189275333fe4b40b233547eedd682d4eb6870
-
SHA512
3a1d92669271812213ed1ae80814eebd830fd8996260f46f2957ca8311ef58278b402dbd1fe1fe1334103bc0826b7443d51951c4a63603a6cea38870195be3f5
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6e:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5J
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" kxlvrmuzmv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kxlvrmuzmv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kxlvrmuzmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kxlvrmuzmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kxlvrmuzmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kxlvrmuzmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kxlvrmuzmv.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" kxlvrmuzmv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4816 kxlvrmuzmv.exe 3896 crzdzziefthsksq.exe 3452 aehwnnbe.exe 2072 aygqqcmtzfzuh.exe 3424 aehwnnbe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kxlvrmuzmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" kxlvrmuzmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kxlvrmuzmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kxlvrmuzmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kxlvrmuzmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kxlvrmuzmv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hsgguppm = "kxlvrmuzmv.exe" crzdzziefthsksq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\drxpewjg = "crzdzziefthsksq.exe" crzdzziefthsksq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "aygqqcmtzfzuh.exe" crzdzziefthsksq.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\m: kxlvrmuzmv.exe File opened (read-only) \??\p: kxlvrmuzmv.exe File opened (read-only) \??\p: aehwnnbe.exe File opened (read-only) \??\s: aehwnnbe.exe File opened (read-only) \??\k: aehwnnbe.exe File opened (read-only) \??\j: kxlvrmuzmv.exe File opened (read-only) \??\i: aehwnnbe.exe File opened (read-only) \??\u: kxlvrmuzmv.exe File opened (read-only) \??\a: kxlvrmuzmv.exe File opened (read-only) \??\b: aehwnnbe.exe File opened (read-only) \??\z: aehwnnbe.exe File opened (read-only) \??\w: aehwnnbe.exe File opened (read-only) \??\m: aehwnnbe.exe File opened (read-only) \??\q: aehwnnbe.exe File opened (read-only) \??\b: kxlvrmuzmv.exe File opened (read-only) \??\t: aehwnnbe.exe File opened (read-only) \??\w: aehwnnbe.exe File opened (read-only) \??\b: aehwnnbe.exe File opened (read-only) \??\m: aehwnnbe.exe File opened (read-only) \??\q: aehwnnbe.exe File opened (read-only) \??\u: aehwnnbe.exe File opened (read-only) \??\u: aehwnnbe.exe File opened (read-only) \??\q: kxlvrmuzmv.exe File opened (read-only) \??\s: kxlvrmuzmv.exe File opened (read-only) \??\e: kxlvrmuzmv.exe File opened (read-only) \??\i: kxlvrmuzmv.exe File opened (read-only) \??\k: kxlvrmuzmv.exe File opened (read-only) \??\j: aehwnnbe.exe File opened (read-only) \??\o: aehwnnbe.exe File opened (read-only) \??\t: aehwnnbe.exe File opened (read-only) \??\g: aehwnnbe.exe File opened (read-only) \??\o: aehwnnbe.exe File opened (read-only) \??\y: kxlvrmuzmv.exe File opened (read-only) \??\a: aehwnnbe.exe File opened (read-only) \??\z: aehwnnbe.exe File opened (read-only) \??\g: kxlvrmuzmv.exe File opened (read-only) \??\v: kxlvrmuzmv.exe File opened (read-only) \??\r: aehwnnbe.exe File opened (read-only) \??\z: kxlvrmuzmv.exe File opened (read-only) \??\l: aehwnnbe.exe File opened (read-only) \??\h: aehwnnbe.exe File opened (read-only) \??\v: aehwnnbe.exe File opened (read-only) \??\t: kxlvrmuzmv.exe File opened (read-only) \??\x: kxlvrmuzmv.exe File opened (read-only) \??\g: aehwnnbe.exe File opened (read-only) \??\x: aehwnnbe.exe File opened (read-only) \??\h: kxlvrmuzmv.exe File opened (read-only) \??\o: kxlvrmuzmv.exe File opened (read-only) \??\x: aehwnnbe.exe File opened (read-only) \??\y: aehwnnbe.exe File opened (read-only) \??\l: kxlvrmuzmv.exe File opened (read-only) \??\e: aehwnnbe.exe File opened (read-only) \??\n: aehwnnbe.exe File opened (read-only) \??\p: aehwnnbe.exe File opened (read-only) \??\r: aehwnnbe.exe File opened (read-only) \??\n: aehwnnbe.exe File opened (read-only) \??\s: aehwnnbe.exe File opened (read-only) \??\y: aehwnnbe.exe File opened (read-only) \??\j: aehwnnbe.exe File opened (read-only) \??\l: aehwnnbe.exe File opened (read-only) \??\r: kxlvrmuzmv.exe File opened (read-only) \??\w: kxlvrmuzmv.exe File opened (read-only) \??\k: aehwnnbe.exe File opened (read-only) \??\a: aehwnnbe.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" kxlvrmuzmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" kxlvrmuzmv.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2044-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023224-5.dat autoit_exe behavioral2/files/0x000b0000000231a8-18.dat autoit_exe behavioral2/files/0x0007000000023226-31.dat autoit_exe behavioral2/files/0x0007000000023225-29.dat autoit_exe behavioral2/files/0x000400000001db64-76.dat autoit_exe behavioral2/files/0x000400000001db65-79.dat autoit_exe behavioral2/files/0x000400000001db66-85.dat autoit_exe behavioral2/files/0x000200000001e59c-97.dat autoit_exe behavioral2/files/0x000600000001e0bb-91.dat autoit_exe behavioral2/files/0x000400000001e7fd-116.dat autoit_exe behavioral2/files/0x000400000001e7fd-121.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\kxlvrmuzmv.exe e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\aygqqcmtzfzuh.exe e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe aehwnnbe.exe File opened for modification C:\Windows\SysWOW64\crzdzziefthsksq.exe e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe File created C:\Windows\SysWOW64\aehwnnbe.exe e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\aehwnnbe.exe e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe aehwnnbe.exe File created C:\Windows\SysWOW64\crzdzziefthsksq.exe e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll kxlvrmuzmv.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe aehwnnbe.exe File opened for modification C:\Windows\SysWOW64\kxlvrmuzmv.exe e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe File created C:\Windows\SysWOW64\aygqqcmtzfzuh.exe e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe aehwnnbe.exe -
Drops file in Program Files directory 22 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aehwnnbe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe aehwnnbe.exe File opened for modification C:\Program Files\MountConvertTo.doc.exe aehwnnbe.exe File created \??\c:\Program Files\MountConvertTo.doc.exe aehwnnbe.exe File opened for modification C:\Program Files\MountConvertTo.doc.exe aehwnnbe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aehwnnbe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal aehwnnbe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal aehwnnbe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal aehwnnbe.exe File opened for modification C:\Program Files\MountConvertTo.nal aehwnnbe.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aehwnnbe.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe aehwnnbe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe aehwnnbe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe aehwnnbe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe aehwnnbe.exe File opened for modification \??\c:\Program Files\MountConvertTo.doc.exe aehwnnbe.exe File opened for modification C:\Program Files\MountConvertTo.nal aehwnnbe.exe File opened for modification \??\c:\Program Files\MountConvertTo.doc.exe aehwnnbe.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aehwnnbe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aehwnnbe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aehwnnbe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal aehwnnbe.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe aehwnnbe.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe aehwnnbe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe aehwnnbe.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe aehwnnbe.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe aehwnnbe.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe aehwnnbe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe aehwnnbe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe aehwnnbe.exe File opened for modification C:\Windows\mydoc.rtf e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe aehwnnbe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe aehwnnbe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe aehwnnbe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe aehwnnbe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe aehwnnbe.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe aehwnnbe.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe aehwnnbe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe aehwnnbe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB12F47E6389E53BFBADC32E8D7B8" e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C7081493DBC2B8C17FE3ED9434CE" e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat kxlvrmuzmv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" kxlvrmuzmv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh kxlvrmuzmv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" kxlvrmuzmv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg kxlvrmuzmv.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332D0B9C2582596D3E76DD77232DAD7D8365DF" e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" kxlvrmuzmv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" kxlvrmuzmv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" kxlvrmuzmv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDF9CDFE67F1E2847A3A4B86EB3994B08903F04360023AE1C5459C09D2" e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FC8E482782699040D75D7DE7BC90E641594166366244D79C" e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc kxlvrmuzmv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf kxlvrmuzmv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs kxlvrmuzmv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78668B6FE1A21DFD10CD1D58B799167" e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" kxlvrmuzmv.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1268 WINWORD.EXE 1268 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 3896 crzdzziefthsksq.exe 3896 crzdzziefthsksq.exe 3896 crzdzziefthsksq.exe 3896 crzdzziefthsksq.exe 3896 crzdzziefthsksq.exe 3896 crzdzziefthsksq.exe 3896 crzdzziefthsksq.exe 3896 crzdzziefthsksq.exe 3896 crzdzziefthsksq.exe 3896 crzdzziefthsksq.exe 4816 kxlvrmuzmv.exe 4816 kxlvrmuzmv.exe 4816 kxlvrmuzmv.exe 4816 kxlvrmuzmv.exe 4816 kxlvrmuzmv.exe 4816 kxlvrmuzmv.exe 2072 aygqqcmtzfzuh.exe 2072 aygqqcmtzfzuh.exe 4816 kxlvrmuzmv.exe 4816 kxlvrmuzmv.exe 4816 kxlvrmuzmv.exe 4816 kxlvrmuzmv.exe 2072 aygqqcmtzfzuh.exe 2072 aygqqcmtzfzuh.exe 2072 aygqqcmtzfzuh.exe 2072 aygqqcmtzfzuh.exe 2072 aygqqcmtzfzuh.exe 2072 aygqqcmtzfzuh.exe 2072 aygqqcmtzfzuh.exe 2072 aygqqcmtzfzuh.exe 2072 aygqqcmtzfzuh.exe 2072 aygqqcmtzfzuh.exe 3452 aehwnnbe.exe 3452 aehwnnbe.exe 3452 aehwnnbe.exe 3452 aehwnnbe.exe 3452 aehwnnbe.exe 3452 aehwnnbe.exe 3452 aehwnnbe.exe 3452 aehwnnbe.exe 3896 crzdzziefthsksq.exe 3896 crzdzziefthsksq.exe 2072 aygqqcmtzfzuh.exe 2072 aygqqcmtzfzuh.exe 2072 aygqqcmtzfzuh.exe 2072 aygqqcmtzfzuh.exe 3896 crzdzziefthsksq.exe 3896 crzdzziefthsksq.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 3896 crzdzziefthsksq.exe 3896 crzdzziefthsksq.exe 3896 crzdzziefthsksq.exe 4816 kxlvrmuzmv.exe 2072 aygqqcmtzfzuh.exe 3452 aehwnnbe.exe 4816 kxlvrmuzmv.exe 2072 aygqqcmtzfzuh.exe 3452 aehwnnbe.exe 4816 kxlvrmuzmv.exe 2072 aygqqcmtzfzuh.exe 3452 aehwnnbe.exe 3424 aehwnnbe.exe 3424 aehwnnbe.exe 3424 aehwnnbe.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 3896 crzdzziefthsksq.exe 3896 crzdzziefthsksq.exe 3896 crzdzziefthsksq.exe 4816 kxlvrmuzmv.exe 2072 aygqqcmtzfzuh.exe 3452 aehwnnbe.exe 4816 kxlvrmuzmv.exe 2072 aygqqcmtzfzuh.exe 3452 aehwnnbe.exe 4816 kxlvrmuzmv.exe 2072 aygqqcmtzfzuh.exe 3452 aehwnnbe.exe 3424 aehwnnbe.exe 3424 aehwnnbe.exe 3424 aehwnnbe.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1268 WINWORD.EXE 1268 WINWORD.EXE 1268 WINWORD.EXE 1268 WINWORD.EXE 1268 WINWORD.EXE 1268 WINWORD.EXE 1268 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2044 wrote to memory of 4816 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 87 PID 2044 wrote to memory of 4816 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 87 PID 2044 wrote to memory of 4816 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 87 PID 2044 wrote to memory of 3896 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 89 PID 2044 wrote to memory of 3896 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 89 PID 2044 wrote to memory of 3896 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 89 PID 2044 wrote to memory of 3452 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 90 PID 2044 wrote to memory of 3452 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 90 PID 2044 wrote to memory of 3452 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 90 PID 2044 wrote to memory of 2072 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 91 PID 2044 wrote to memory of 2072 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 91 PID 2044 wrote to memory of 2072 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 91 PID 2044 wrote to memory of 1268 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 92 PID 2044 wrote to memory of 1268 2044 e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe 92 PID 4816 wrote to memory of 3424 4816 kxlvrmuzmv.exe 94 PID 4816 wrote to memory of 3424 4816 kxlvrmuzmv.exe 94 PID 4816 wrote to memory of 3424 4816 kxlvrmuzmv.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e94e7933300cd60bc3f011dd41a72632_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\kxlvrmuzmv.exekxlvrmuzmv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\aehwnnbe.exeC:\Windows\system32\aehwnnbe.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3424
-
-
-
C:\Windows\SysWOW64\crzdzziefthsksq.execrzdzziefthsksq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3896
-
-
C:\Windows\SysWOW64\aehwnnbe.exeaehwnnbe.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3452
-
-
C:\Windows\SysWOW64\aygqqcmtzfzuh.exeaygqqcmtzfzuh.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2072
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1268
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5ef816c196d0510816025978a8d0d3df9
SHA1047e9b9446816ada90ee46f9ec490b156f59f9dc
SHA256bc5e4238179ec5b4f6a5f205a5450d207aba7eb577017c2658a038d9e18fbc1c
SHA51255a5e6eb92f14b643d739d5268f3c0a9a87211fe95cdaf2cd7992a2c8c065fe589f5845d3e2c54439ab2f767ec37673cbebcc3e0ade40ae455299551e6cb153e
-
Filesize
512KB
MD56f6c0e8b89e6b0b7c0913aa882070f27
SHA17362c9eda2d00d32e75ab3d8a1941b0548aacc5d
SHA2567151f92cdecda9d1ee1286d009737bd9f2f2fea400d9639b6cf26d710cd256e7
SHA512dc919ceb443b1f794396d49d809cb3cc6ef2ba971cae45f9d441058e134919416dfc18879f3fc9040f1ce340b520228fe8ab56e7f99175d8207cd85afa5791e6
-
Filesize
512KB
MD5e0530e158c43f1a915b267201aa88286
SHA153189a6f682438452be5bb3fcf721ed75a8479ad
SHA25672f38886dff53b14e47e44ca0c9dd703e621a7d246f91bb5427a720b9c1fb10d
SHA5127cfca6c4c66461e5580b6d352cdf8b2a917430fbffa36b3d059aafa093abe626c468ae3e97f05d049447541a25d59fee195b6cc21fb174a4c4df3a2e3f21bbd6
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5449351232d4a914fd4a5165971adc184
SHA17a9d92abb4f22b4c2aaeb34aad51b63f357e4b54
SHA2561ebe1f1acd759c2a6fe7a483381f72c27c9bfeea98eb0c3e695fef665564bd82
SHA512832cf96e7b919553c235d9cafeff11dfe8a13ae8ba49e105fb8b06d27021ac04dad8d54d07ba52fc300d204d165e4f391762ec627343249ab0ee7d8e12920f0e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD593fad1cb069452dd8a6d7a7f38e0fa56
SHA1ce97734486c7cde0cc1e77d3b8fc2203b9fdc45d
SHA2564f922f4d3f2382862eed1aa57d8af50d68c1d0e2cb8cee83cdb7293d2493f217
SHA5120d5a9b278ae345f95d91085a3396f0abccd9aae0eec5a91ac33df14966f411b264df1347be22c27c165d5e590eb46cb3d7ec53000bb7848ce694f6867dd6a15a
-
Filesize
512KB
MD5a6b76fff1d85688bbc668bb08ba33b0b
SHA19afab6fa535cb79b6071a003cac2e16556fa05b2
SHA256148724b160323edf35e5f78b4ee3a6cb3b8f5b2629f48f75dffe1b73bef7c553
SHA5125825be0dacb9501facc3fd4a2b0490412fb55ed96d49a739a717bb83c4ef40cd1ac306aaea67974335aea7bf321415c9f9d7bad7812b1496dfa23cbea45e84d6
-
Filesize
512KB
MD566f96ee6562a33941a0295f6f8e0af91
SHA19e2013a57f5c19ffcd01c0c9193030d1ac0af4ec
SHA256aaefa078f2f09c85764f6b7d2a4582275c686fa453cfdf0da06ac9b1a21565a9
SHA512d4430f18b378764c169b23883a9afc814bb03f09f46222ff48a4c787f40f12d9a076de66703f1807a1452f08b7d81de2dfc65a165fd3bfbd4c3b3bc7c1989c9b
-
Filesize
512KB
MD50b1d5db5ceca930405c5c59cec60d17a
SHA1bf5340e7a3a5c0bf05734fa197ed177ab384ce33
SHA256c5bcb61ccf491fdf61711cf8ca9548f241594e5258fd0f2768bfe908a26a9488
SHA512bb68c22655f7f103ba913949675f3d2122e32aca390cb5073b438437e96637b748a1d990860b363ec4514215e4a30fe952640edd485fb3408d55e08e6b442969
-
Filesize
512KB
MD5e8b68e9de93061e232b26bf6c6035577
SHA14130a721b7ced7541ae5dc5ad062d72192136e10
SHA2567b82d7ecb92add564c1b15f351c3b50e4304402f65618335b08363c9dc5b15ec
SHA5128d9a08c96aacaf732ddf43f6bc1bc3515e01f6882484f3ce6f797d494fc0a193d6ef89372ac9cc2c53953d594e4d50681e1b8a6731ff5348bb2460c45ce17cfc
-
Filesize
512KB
MD52617a4d64a66dbc109f75213ce5392ce
SHA1995604b31d7fda075c5a0ef09da1be677db15d51
SHA25613a44f45f50bf0780dc26fe4f94375f68b982e697c3f4984429d865a5ce1b5b0
SHA5120a502d5472893a45666a3f33fd63ebd36f234c635b6629d118f9c3c31566c297896596916264ef5650ef84f1aec6e38d8f194a5b8ab1cd62cb075d4d85a143be
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5b9536308788963b9e34085f64b28512d
SHA18a5b920f3615853aab727f950399cd25cce3e834
SHA256aad954933f78c353db64bae803e94d84956aa2b2d6a51390f8bef40227c79abe
SHA512df43425f399007d29fc4a712707c2a6dbcaf6590f984bb96480791e37fe3dea39a5398633cb838f1e686ddc8520711e2b031ce56362abd2c7101dd8115688a13
-
Filesize
512KB
MD56bcff6b1d72b77547bb86fbb42bb1ae8
SHA15a4ecec4f75ea3a2e36adcec3555b0b65010c01b
SHA256acbcdec7914feb081589d37b6de33b5050184c63b6f894b704f729944d08f5e7
SHA5123d9c465aecbfa7d5e4223ecbcec35467c193e7a53991b6a0919e222a3914575de20a911b25c09149b4298eb55e17e2be9c4f6164cc73ce4816f630feb1b591bd
-
Filesize
512KB
MD54592ea75de2e023cf4d5caa3c2c94b82
SHA1f53b880aa8cf93b347a61d108cba0fe6df4586e0
SHA256e9a9142d30182cf88ab54841d684ddbbcd1dc90eee00dcb89aeffa6185d04c2a
SHA512858b9f15f62abc0d213b6bcacf78fc8d77e730e54247c49f3e912dce7340f67762971b90f7af8eb646ad1700e44fda66f7b511554eeb2125141d4f77a3dbc7bc