Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/04/2024, 10:55
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe
-
Size
512KB
-
MD5
ed41a69b8fbfbdee0148eba63b9c6e01
-
SHA1
f67434b508c5eed439f835407e228e8502585786
-
SHA256
cc3e5058ac37e5db39fa7e4ea00e44ec20f06400a3ea2e4930da4cadf77b2546
-
SHA512
15ec8b4857834c9bff2eb44eec9e7791c8811f5568862ed0f263b54681e65c9f40c33bc33d62d3e98337e5466e29ebdea04a3a5b6c62f81c0410608c109edbca
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6k:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5t
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" nezzvuwodc.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nezzvuwodc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nezzvuwodc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nezzvuwodc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nezzvuwodc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nezzvuwodc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nezzvuwodc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nezzvuwodc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1476 nezzvuwodc.exe 3820 blvzdalwsmzkngi.exe 4908 czjejpga.exe 376 zxweicrlpcnqp.exe 4264 czjejpga.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nezzvuwodc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nezzvuwodc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nezzvuwodc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" nezzvuwodc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nezzvuwodc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nezzvuwodc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smklapcb = "blvzdalwsmzkngi.exe" blvzdalwsmzkngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zxweicrlpcnqp.exe" blvzdalwsmzkngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dlbsypmq = "nezzvuwodc.exe" blvzdalwsmzkngi.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\z: czjejpga.exe File opened (read-only) \??\g: nezzvuwodc.exe File opened (read-only) \??\q: nezzvuwodc.exe File opened (read-only) \??\q: czjejpga.exe File opened (read-only) \??\w: czjejpga.exe File opened (read-only) \??\h: czjejpga.exe File opened (read-only) \??\u: nezzvuwodc.exe File opened (read-only) \??\b: czjejpga.exe File opened (read-only) \??\b: nezzvuwodc.exe File opened (read-only) \??\v: nezzvuwodc.exe File opened (read-only) \??\m: czjejpga.exe File opened (read-only) \??\o: czjejpga.exe File opened (read-only) \??\p: czjejpga.exe File opened (read-only) \??\q: czjejpga.exe File opened (read-only) \??\e: nezzvuwodc.exe File opened (read-only) \??\g: czjejpga.exe File opened (read-only) \??\k: czjejpga.exe File opened (read-only) \??\n: czjejpga.exe File opened (read-only) \??\p: nezzvuwodc.exe File opened (read-only) \??\l: czjejpga.exe File opened (read-only) \??\x: nezzvuwodc.exe File opened (read-only) \??\y: nezzvuwodc.exe File opened (read-only) \??\t: czjejpga.exe File opened (read-only) \??\u: czjejpga.exe File opened (read-only) \??\a: czjejpga.exe File opened (read-only) \??\i: czjejpga.exe File opened (read-only) \??\m: nezzvuwodc.exe File opened (read-only) \??\r: nezzvuwodc.exe File opened (read-only) \??\y: czjejpga.exe File opened (read-only) \??\m: czjejpga.exe File opened (read-only) \??\h: nezzvuwodc.exe File opened (read-only) \??\w: czjejpga.exe File opened (read-only) \??\x: czjejpga.exe File opened (read-only) \??\a: nezzvuwodc.exe File opened (read-only) \??\k: nezzvuwodc.exe File opened (read-only) \??\e: czjejpga.exe File opened (read-only) \??\g: czjejpga.exe File opened (read-only) \??\l: czjejpga.exe File opened (read-only) \??\o: czjejpga.exe File opened (read-only) \??\w: nezzvuwodc.exe File opened (read-only) \??\e: czjejpga.exe File opened (read-only) \??\t: czjejpga.exe File opened (read-only) \??\u: czjejpga.exe File opened (read-only) \??\i: nezzvuwodc.exe File opened (read-only) \??\s: nezzvuwodc.exe File opened (read-only) \??\l: nezzvuwodc.exe File opened (read-only) \??\t: nezzvuwodc.exe File opened (read-only) \??\n: czjejpga.exe File opened (read-only) \??\s: czjejpga.exe File opened (read-only) \??\h: czjejpga.exe File opened (read-only) \??\j: czjejpga.exe File opened (read-only) \??\x: czjejpga.exe File opened (read-only) \??\p: czjejpga.exe File opened (read-only) \??\y: czjejpga.exe File opened (read-only) \??\z: czjejpga.exe File opened (read-only) \??\r: czjejpga.exe File opened (read-only) \??\j: czjejpga.exe File opened (read-only) \??\v: czjejpga.exe File opened (read-only) \??\j: nezzvuwodc.exe File opened (read-only) \??\i: czjejpga.exe File opened (read-only) \??\b: czjejpga.exe File opened (read-only) \??\z: nezzvuwodc.exe File opened (read-only) \??\a: czjejpga.exe File opened (read-only) \??\s: czjejpga.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" nezzvuwodc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" nezzvuwodc.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2096-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000231ef-5.dat autoit_exe behavioral2/files/0x00070000000231f0-27.dat autoit_exe behavioral2/files/0x00070000000231f1-32.dat autoit_exe behavioral2/files/0x00090000000231eb-19.dat autoit_exe behavioral2/files/0x000500000001695a-84.dat autoit_exe behavioral2/files/0x000400000001e590-105.dat autoit_exe behavioral2/files/0x000400000001e590-108.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\nezzvuwodc.exe ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe File created C:\Windows\SysWOW64\blvzdalwsmzkngi.exe ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\czjejpga.exe ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe File created C:\Windows\SysWOW64\zxweicrlpcnqp.exe ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe czjejpga.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe czjejpga.exe File opened for modification C:\Windows\SysWOW64\nezzvuwodc.exe ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\blvzdalwsmzkngi.exe ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe File created C:\Windows\SysWOW64\czjejpga.exe ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zxweicrlpcnqp.exe ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll nezzvuwodc.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe czjejpga.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal czjejpga.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal czjejpga.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe czjejpga.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe czjejpga.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe czjejpga.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe czjejpga.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal czjejpga.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe czjejpga.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe czjejpga.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe czjejpga.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe czjejpga.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe czjejpga.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe czjejpga.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal czjejpga.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe czjejpga.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe czjejpga.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe czjejpga.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe czjejpga.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe czjejpga.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe czjejpga.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe czjejpga.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe czjejpga.exe File opened for modification C:\Windows\mydoc.rtf ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe czjejpga.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe czjejpga.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe czjejpga.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe czjejpga.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe czjejpga.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe czjejpga.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe czjejpga.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe czjejpga.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342C7D9D2382556D4377D577212CAA7DF364DA" ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFAB8FE6BF29383743B4086973E96B38C02F942620332E1BF42E708A3" ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F56BB9FE6622DBD179D1D58A74906B" ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC67C1596DAB7B8BC7FE4EDE434CB" ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh nezzvuwodc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc nezzvuwodc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" nezzvuwodc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf nezzvuwodc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" nezzvuwodc.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFC8F4F27856D9131D75D7E97BDE1E63259446732623FD6EB" ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat nezzvuwodc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" nezzvuwodc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" nezzvuwodc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" nezzvuwodc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B02047E4399853C4B9D23292D7BC" ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs nezzvuwodc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" nezzvuwodc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg nezzvuwodc.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 228 WINWORD.EXE 228 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 3820 blvzdalwsmzkngi.exe 3820 blvzdalwsmzkngi.exe 3820 blvzdalwsmzkngi.exe 3820 blvzdalwsmzkngi.exe 3820 blvzdalwsmzkngi.exe 3820 blvzdalwsmzkngi.exe 3820 blvzdalwsmzkngi.exe 3820 blvzdalwsmzkngi.exe 3820 blvzdalwsmzkngi.exe 3820 blvzdalwsmzkngi.exe 1476 nezzvuwodc.exe 1476 nezzvuwodc.exe 1476 nezzvuwodc.exe 1476 nezzvuwodc.exe 1476 nezzvuwodc.exe 1476 nezzvuwodc.exe 1476 nezzvuwodc.exe 1476 nezzvuwodc.exe 1476 nezzvuwodc.exe 1476 nezzvuwodc.exe 4908 czjejpga.exe 4908 czjejpga.exe 376 zxweicrlpcnqp.exe 376 zxweicrlpcnqp.exe 4908 czjejpga.exe 4908 czjejpga.exe 4908 czjejpga.exe 4908 czjejpga.exe 4908 czjejpga.exe 376 zxweicrlpcnqp.exe 4908 czjejpga.exe 376 zxweicrlpcnqp.exe 376 zxweicrlpcnqp.exe 376 zxweicrlpcnqp.exe 376 zxweicrlpcnqp.exe 376 zxweicrlpcnqp.exe 376 zxweicrlpcnqp.exe 376 zxweicrlpcnqp.exe 376 zxweicrlpcnqp.exe 376 zxweicrlpcnqp.exe 3820 blvzdalwsmzkngi.exe 3820 blvzdalwsmzkngi.exe 376 zxweicrlpcnqp.exe 376 zxweicrlpcnqp.exe 376 zxweicrlpcnqp.exe 376 zxweicrlpcnqp.exe 4264 czjejpga.exe 4264 czjejpga.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 3820 blvzdalwsmzkngi.exe 3820 blvzdalwsmzkngi.exe 3820 blvzdalwsmzkngi.exe 1476 nezzvuwodc.exe 1476 nezzvuwodc.exe 1476 nezzvuwodc.exe 4908 czjejpga.exe 4908 czjejpga.exe 4908 czjejpga.exe 376 zxweicrlpcnqp.exe 376 zxweicrlpcnqp.exe 376 zxweicrlpcnqp.exe 4264 czjejpga.exe 4264 czjejpga.exe 4264 czjejpga.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 3820 blvzdalwsmzkngi.exe 3820 blvzdalwsmzkngi.exe 3820 blvzdalwsmzkngi.exe 1476 nezzvuwodc.exe 1476 nezzvuwodc.exe 1476 nezzvuwodc.exe 4908 czjejpga.exe 4908 czjejpga.exe 4908 czjejpga.exe 376 zxweicrlpcnqp.exe 376 zxweicrlpcnqp.exe 376 zxweicrlpcnqp.exe 4264 czjejpga.exe 4264 czjejpga.exe 4264 czjejpga.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 228 WINWORD.EXE 228 WINWORD.EXE 228 WINWORD.EXE 228 WINWORD.EXE 228 WINWORD.EXE 228 WINWORD.EXE 228 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2096 wrote to memory of 1476 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 84 PID 2096 wrote to memory of 1476 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 84 PID 2096 wrote to memory of 1476 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 84 PID 2096 wrote to memory of 3820 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 85 PID 2096 wrote to memory of 3820 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 85 PID 2096 wrote to memory of 3820 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 85 PID 2096 wrote to memory of 4908 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 86 PID 2096 wrote to memory of 4908 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 86 PID 2096 wrote to memory of 4908 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 86 PID 2096 wrote to memory of 376 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 87 PID 2096 wrote to memory of 376 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 87 PID 2096 wrote to memory of 376 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 87 PID 2096 wrote to memory of 228 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 88 PID 2096 wrote to memory of 228 2096 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 88 PID 1476 wrote to memory of 4264 1476 nezzvuwodc.exe 90 PID 1476 wrote to memory of 4264 1476 nezzvuwodc.exe 90 PID 1476 wrote to memory of 4264 1476 nezzvuwodc.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\nezzvuwodc.exenezzvuwodc.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\czjejpga.exeC:\Windows\system32\czjejpga.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4264
-
-
-
C:\Windows\SysWOW64\blvzdalwsmzkngi.exeblvzdalwsmzkngi.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3820
-
-
C:\Windows\SysWOW64\czjejpga.execzjejpga.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4908
-
-
C:\Windows\SysWOW64\zxweicrlpcnqp.exezxweicrlpcnqp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:376
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:228
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5949cfb9ea22ad56e54719c5a30ca10ac
SHA11549cc1d845b05aae4c0625a5012b27814473152
SHA2561b6131ae50bedfc9ced1c5902f925d4756e40e6e3ddcb2aea70226b289aa6c1f
SHA512941c77b40f6b4f34451cb8e0b0164d655e0eb81fed82ec3be2ffdc3306dbac5e611daf4165284262be97fbf9d3a9b8444d709c77aa8ee3b3aaa957b07ee060a1
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f96351fa346a0e5eb127cca0be9073cd
SHA11513beda7345e9d26342c8c20d40fd5f9b6f8517
SHA256b8fa86c677ef20ff58f3de209a6c4aa421e7693986e208fdcc0fc4af8608136c
SHA5129c0a6f1dac9953f8a4cf961a6df2091043dd1654e417630631af5a727887b1901d7364efa908e70778def4bf80c737cb2b1bab8d53d0d86fe9cbfae1f9f9d24f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5c73d67f80f3323f339f6fb5c11445836
SHA151390e4b09e6782a6415b0b533e453e4fd0d17ae
SHA2568f338cbe8574793a2a1469a621989fe3bf3d737996cba89c3a211c20ed8acd02
SHA5123a0388067957a00bfb8ccefd41574b9d6c5075a4c1ca1239a670b748d5ae5090beae4b78a122df75b2e5cc03d3d1a7407f4fa14ad579cb49a26501161615bd4d
-
Filesize
512KB
MD5dbdc3dff52404bc461bb2775fe7eea1f
SHA1e15c99bfc7fd706d20e60decaa752642efa280cb
SHA256d02491482b1440ed9c1f4691349af01dcf9cd8e564a4082192c8f2d1147a3498
SHA512d4562f4a02f9ade89223c48e57e4fb2e47fd03a524724bc73a56d9d2db44b5dcb0187af7a20f2e6f0c4a0f7fa2a07fc123547c2f05f6b92dd14fc89b84b6d036
-
Filesize
512KB
MD58b99319e6aaf0cdc7c1946ed18cac50d
SHA1c41fdb1f37e5067e5f402db70c2da21965391339
SHA2569188c9c891f66fb279eae10221c041d3394b120c44208727c3574b97dbbf2a83
SHA512215a649783221489a356867296748942c3beff6b6b09f86f6995efbeb42d1804719d9cc12295f3fd06dc0f7fff04bf369e0e235fd1ac9b4bae70fb1407d2973a
-
Filesize
512KB
MD51c1a7bba951dbd99672cf42988c2285f
SHA173b2f73a5e2dc0dea253d52b39a3a59a63b6f6bc
SHA256930397996232b9ac3f33600646505df054cf75830ed7750e447d4e8ed9e40c2f
SHA512d02d8ab5038e3947bedd3377b204f958e98683274c21f2672e1642ca235a9ed32a831ce99f8414f50f6f709710be3507aa4d6bcb3d01e526bac00797f097c64b
-
Filesize
512KB
MD5d71635e164b88473733a010c8bfb688f
SHA10c9c4d6ba6d2cd4f4e26efbf56d3f2685b44014b
SHA256d50fa07304234354d974a5a5c73302652006ea16c6775f092ed82ff0ee7af299
SHA512f7f7b9313754c1282b94e5c7eebaa592d7ddbc1b7df198459458efc3ed9c21ceb2a1768e1c9626ed583b1946cce71328a8b5ae7486a6118b1b149d4fcbb684c4
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5be73ac2682b72e0c71d24216ea664f14
SHA1f74bc87363fb0295e9ed4ee579d340fc3c950857
SHA2567cf14788e988eeb09968e91180242ebf8136b7ce7872714cf44e4362209151e3
SHA512f57112cef766985f3f6be10a53716851ec32ed0894465a6245125decaf3f958f3fc9a182d87f0556cc02610e13686b713830d4d5bc88b3f656fe062c6c859dca
-
Filesize
512KB
MD5de1a04975f0f840fbc8fa704b8bf36b5
SHA15bbe011b326614e7a783cfbbb2735f7f80c5e58e
SHA256e86374cc84305cc52374c4966b574004c914a48c923bdd87875e3f7a32c5ff92
SHA51287283bc59c60c463e7464256a597e9921440861551ef03b86e9c42001db839953600bd9c96dd50cfd51b637aaa74bb3a3575842c57b7441adc7e4295131a60a1