Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 20:01
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
fb10214753750608e5c2129fb638b674_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
fb10214753750608e5c2129fb638b674_JaffaCakes118.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
fb10214753750608e5c2129fb638b674_JaffaCakes118.exe
-
Size
512KB
-
MD5
fb10214753750608e5c2129fb638b674
-
SHA1
c447a574de25699d6eaceedbcae3e5501c5b3705
-
SHA256
0e2e676b9203b13b2c70b42f9018c3dff31781cdd876eb7db007366c4c2b9049
-
SHA512
99fc9168a5149361435c03d646a714ea45af60b9c18eab70c584ebbfebc69c8a9dcecddfa924c6f0b8183527c08eba2a73b3324ce8de36af888c96fff9c05549
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6B:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5I
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" yebstxpygc.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yebstxpygc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" yebstxpygc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yebstxpygc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yebstxpygc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yebstxpygc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yebstxpygc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yebstxpygc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation fb10214753750608e5c2129fb638b674_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4944 yebstxpygc.exe 4972 vdhlrczczdytsbd.exe 5008 lqllgpci.exe 4676 kxkhsfwhiyvzm.exe 3148 lqllgpci.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yebstxpygc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yebstxpygc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" yebstxpygc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yebstxpygc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" yebstxpygc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yebstxpygc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfsfssix = "vdhlrczczdytsbd.exe" vdhlrczczdytsbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kxkhsfwhiyvzm.exe" vdhlrczczdytsbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kjkzfbgi = "yebstxpygc.exe" vdhlrczczdytsbd.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: yebstxpygc.exe File opened (read-only) \??\z: yebstxpygc.exe File opened (read-only) \??\b: lqllgpci.exe File opened (read-only) \??\r: lqllgpci.exe File opened (read-only) \??\w: lqllgpci.exe File opened (read-only) \??\w: lqllgpci.exe File opened (read-only) \??\a: yebstxpygc.exe File opened (read-only) \??\l: yebstxpygc.exe File opened (read-only) \??\o: lqllgpci.exe File opened (read-only) \??\s: lqllgpci.exe File opened (read-only) \??\a: lqllgpci.exe File opened (read-only) \??\p: lqllgpci.exe File opened (read-only) \??\n: lqllgpci.exe File opened (read-only) \??\s: lqllgpci.exe File opened (read-only) \??\x: lqllgpci.exe File opened (read-only) \??\g: yebstxpygc.exe File opened (read-only) \??\j: yebstxpygc.exe File opened (read-only) \??\u: yebstxpygc.exe File opened (read-only) \??\k: lqllgpci.exe File opened (read-only) \??\m: lqllgpci.exe File opened (read-only) \??\m: lqllgpci.exe File opened (read-only) \??\q: lqllgpci.exe File opened (read-only) \??\i: lqllgpci.exe File opened (read-only) \??\t: lqllgpci.exe File opened (read-only) \??\e: yebstxpygc.exe File opened (read-only) \??\s: yebstxpygc.exe File opened (read-only) \??\y: yebstxpygc.exe File opened (read-only) \??\g: lqllgpci.exe File opened (read-only) \??\y: lqllgpci.exe File opened (read-only) \??\b: yebstxpygc.exe File opened (read-only) \??\e: lqllgpci.exe File opened (read-only) \??\h: lqllgpci.exe File opened (read-only) \??\l: lqllgpci.exe File opened (read-only) \??\i: lqllgpci.exe File opened (read-only) \??\j: lqllgpci.exe File opened (read-only) \??\q: lqllgpci.exe File opened (read-only) \??\u: lqllgpci.exe File opened (read-only) \??\k: yebstxpygc.exe File opened (read-only) \??\r: yebstxpygc.exe File opened (read-only) \??\t: yebstxpygc.exe File opened (read-only) \??\y: lqllgpci.exe File opened (read-only) \??\j: lqllgpci.exe File opened (read-only) \??\n: lqllgpci.exe File opened (read-only) \??\n: yebstxpygc.exe File opened (read-only) \??\p: yebstxpygc.exe File opened (read-only) \??\l: lqllgpci.exe File opened (read-only) \??\v: lqllgpci.exe File opened (read-only) \??\x: yebstxpygc.exe File opened (read-only) \??\t: lqllgpci.exe File opened (read-only) \??\z: lqllgpci.exe File opened (read-only) \??\g: lqllgpci.exe File opened (read-only) \??\v: lqllgpci.exe File opened (read-only) \??\b: lqllgpci.exe File opened (read-only) \??\h: lqllgpci.exe File opened (read-only) \??\k: lqllgpci.exe File opened (read-only) \??\o: lqllgpci.exe File opened (read-only) \??\w: yebstxpygc.exe File opened (read-only) \??\r: lqllgpci.exe File opened (read-only) \??\e: lqllgpci.exe File opened (read-only) \??\p: lqllgpci.exe File opened (read-only) \??\h: yebstxpygc.exe File opened (read-only) \??\i: yebstxpygc.exe File opened (read-only) \??\q: yebstxpygc.exe File opened (read-only) \??\x: lqllgpci.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" yebstxpygc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" yebstxpygc.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1480-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00090000000233d3-5.dat autoit_exe behavioral2/files/0x0005000000023277-19.dat autoit_exe behavioral2/files/0x00070000000233f2-26.dat autoit_exe behavioral2/files/0x00070000000233f3-31.dat autoit_exe behavioral2/files/0x00070000000233ff-63.dat autoit_exe behavioral2/files/0x0007000000023400-66.dat autoit_exe behavioral2/files/0x0008000000023406-78.dat autoit_exe behavioral2/files/0x0007000000023407-84.dat autoit_exe behavioral2/files/0x0007000000023419-110.dat autoit_exe behavioral2/files/0x0007000000023419-113.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\yebstxpygc.exe fb10214753750608e5c2129fb638b674_JaffaCakes118.exe File created C:\Windows\SysWOW64\lqllgpci.exe fb10214753750608e5c2129fb638b674_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll yebstxpygc.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lqllgpci.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lqllgpci.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lqllgpci.exe File created C:\Windows\SysWOW64\yebstxpygc.exe fb10214753750608e5c2129fb638b674_JaffaCakes118.exe File created C:\Windows\SysWOW64\vdhlrczczdytsbd.exe fb10214753750608e5c2129fb638b674_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vdhlrczczdytsbd.exe fb10214753750608e5c2129fb638b674_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lqllgpci.exe fb10214753750608e5c2129fb638b674_JaffaCakes118.exe File created C:\Windows\SysWOW64\kxkhsfwhiyvzm.exe fb10214753750608e5c2129fb638b674_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kxkhsfwhiyvzm.exe fb10214753750608e5c2129fb638b674_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lqllgpci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lqllgpci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lqllgpci.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lqllgpci.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lqllgpci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lqllgpci.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lqllgpci.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lqllgpci.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lqllgpci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lqllgpci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lqllgpci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lqllgpci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lqllgpci.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lqllgpci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lqllgpci.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lqllgpci.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lqllgpci.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lqllgpci.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lqllgpci.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lqllgpci.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lqllgpci.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lqllgpci.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lqllgpci.exe File opened for modification C:\Windows\mydoc.rtf fb10214753750608e5c2129fb638b674_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lqllgpci.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lqllgpci.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lqllgpci.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lqllgpci.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lqllgpci.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lqllgpci.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lqllgpci.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lqllgpci.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh yebstxpygc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" yebstxpygc.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes fb10214753750608e5c2129fb638b674_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352C7D9C5282256D4177A777262DD77DF264DA" fb10214753750608e5c2129fb638b674_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B02B47E239EE53C9B9D232EFD7CF" fb10214753750608e5c2129fb638b674_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFC8F482B85199042D7217E92BDE5E140583766416234D799" fb10214753750608e5c2129fb638b674_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC60C14E1DAC4B9BE7FE7ED9737BA" fb10214753750608e5c2129fb638b674_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" yebstxpygc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs yebstxpygc.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings fb10214753750608e5c2129fb638b674_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFAB0F965F195840B3B4281EA3992B3FC02F04261023DE2CD429B08D5" fb10214753750608e5c2129fb638b674_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7836BC6FE6F22A9D209D0D38A7E9163" fb10214753750608e5c2129fb638b674_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf yebstxpygc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" yebstxpygc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat yebstxpygc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc yebstxpygc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" yebstxpygc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" yebstxpygc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg yebstxpygc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" yebstxpygc.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4900 WINWORD.EXE 4900 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 4944 yebstxpygc.exe 4944 yebstxpygc.exe 4944 yebstxpygc.exe 4944 yebstxpygc.exe 4944 yebstxpygc.exe 4944 yebstxpygc.exe 4944 yebstxpygc.exe 4944 yebstxpygc.exe 4944 yebstxpygc.exe 4944 yebstxpygc.exe 5008 lqllgpci.exe 5008 lqllgpci.exe 5008 lqllgpci.exe 5008 lqllgpci.exe 5008 lqllgpci.exe 5008 lqllgpci.exe 5008 lqllgpci.exe 5008 lqllgpci.exe 4676 kxkhsfwhiyvzm.exe 4676 kxkhsfwhiyvzm.exe 4676 kxkhsfwhiyvzm.exe 4676 kxkhsfwhiyvzm.exe 4676 kxkhsfwhiyvzm.exe 4676 kxkhsfwhiyvzm.exe 4676 kxkhsfwhiyvzm.exe 4676 kxkhsfwhiyvzm.exe 4676 kxkhsfwhiyvzm.exe 4676 kxkhsfwhiyvzm.exe 4676 kxkhsfwhiyvzm.exe 4676 kxkhsfwhiyvzm.exe 4972 vdhlrczczdytsbd.exe 4972 vdhlrczczdytsbd.exe 4972 vdhlrczczdytsbd.exe 4972 vdhlrczczdytsbd.exe 4972 vdhlrczczdytsbd.exe 4972 vdhlrczczdytsbd.exe 4972 vdhlrczczdytsbd.exe 4972 vdhlrczczdytsbd.exe 4972 vdhlrczczdytsbd.exe 4972 vdhlrczczdytsbd.exe 3148 lqllgpci.exe 3148 lqllgpci.exe 3148 lqllgpci.exe 3148 lqllgpci.exe 3148 lqllgpci.exe 3148 lqllgpci.exe 3148 lqllgpci.exe 3148 lqllgpci.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 4944 yebstxpygc.exe 4944 yebstxpygc.exe 4944 yebstxpygc.exe 5008 lqllgpci.exe 5008 lqllgpci.exe 5008 lqllgpci.exe 4972 vdhlrczczdytsbd.exe 4676 kxkhsfwhiyvzm.exe 4972 vdhlrczczdytsbd.exe 4676 kxkhsfwhiyvzm.exe 4972 vdhlrczczdytsbd.exe 4676 kxkhsfwhiyvzm.exe 3148 lqllgpci.exe 3148 lqllgpci.exe 3148 lqllgpci.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 4944 yebstxpygc.exe 4944 yebstxpygc.exe 4944 yebstxpygc.exe 5008 lqllgpci.exe 5008 lqllgpci.exe 5008 lqllgpci.exe 4972 vdhlrczczdytsbd.exe 4676 kxkhsfwhiyvzm.exe 4972 vdhlrczczdytsbd.exe 4676 kxkhsfwhiyvzm.exe 4972 vdhlrczczdytsbd.exe 4676 kxkhsfwhiyvzm.exe 3148 lqllgpci.exe 3148 lqllgpci.exe 3148 lqllgpci.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4900 WINWORD.EXE 4900 WINWORD.EXE 4900 WINWORD.EXE 4900 WINWORD.EXE 4900 WINWORD.EXE 4900 WINWORD.EXE 4900 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1480 wrote to memory of 4944 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 87 PID 1480 wrote to memory of 4944 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 87 PID 1480 wrote to memory of 4944 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 87 PID 1480 wrote to memory of 4972 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 88 PID 1480 wrote to memory of 4972 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 88 PID 1480 wrote to memory of 4972 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 88 PID 1480 wrote to memory of 5008 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 89 PID 1480 wrote to memory of 5008 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 89 PID 1480 wrote to memory of 5008 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 89 PID 1480 wrote to memory of 4676 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 90 PID 1480 wrote to memory of 4676 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 90 PID 1480 wrote to memory of 4676 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 90 PID 4944 wrote to memory of 3148 4944 yebstxpygc.exe 91 PID 4944 wrote to memory of 3148 4944 yebstxpygc.exe 91 PID 4944 wrote to memory of 3148 4944 yebstxpygc.exe 91 PID 1480 wrote to memory of 4900 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 92 PID 1480 wrote to memory of 4900 1480 fb10214753750608e5c2129fb638b674_JaffaCakes118.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb10214753750608e5c2129fb638b674_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fb10214753750608e5c2129fb638b674_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\yebstxpygc.exeyebstxpygc.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\lqllgpci.exeC:\Windows\system32\lqllgpci.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3148
-
-
-
C:\Windows\SysWOW64\vdhlrczczdytsbd.exevdhlrczczdytsbd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4972
-
-
C:\Windows\SysWOW64\lqllgpci.exelqllgpci.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5008
-
-
C:\Windows\SysWOW64\kxkhsfwhiyvzm.exekxkhsfwhiyvzm.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4676
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4900
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD58149d6e7341e57181baa1539db4da3d0
SHA1cbc62e26a72a77df108ed84996fc0808eb0c5f42
SHA256612d3ab670a830355a5addd09b7b5a52a9cf64ed762cce300d9ef364964c3d3d
SHA51293dc1863b239752b3822ccba74fd6922b0e064f3d433d7a5c03e29d97e65b93b36a6f3981da84ca22fc0a2df6529f7b1403fb4b7f13120bbe15862238046286e
-
Filesize
512KB
MD55c32bfa93ea15c0fd5a74b4d23292d1f
SHA16a7efe2f7732b9ace67b1e191a82621fa0ea8b8c
SHA2565fd4448531ee64d14da3572911aed3efbc04f029a73cbb58c780fc9b43d2ea63
SHA512e216f7fff35d5c0dca2f12d5273629556761e4a416850d806ed018e660c583dc72a9dd905017f57ad2310759671e687cb3004e4d4e2db55d8ab55a08afabf4d1
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
239B
MD5a904d0d5bb2f9203037b6f31a3ee2859
SHA126a954e4c6503ccb30ef6f9097b138ca07226128
SHA256bd133c2e311be342522e82a20cc237a8e0b7ec100d88de44f87708a669962986
SHA51246af63cdb1cdc54a8e95d258b9e45d4606a22a00e23e92628e85ce6edcc5d1c3f7f59a1ee1e78bbde62a071e83cd4ae8a92795424dc87d1ea0d7fc123d7e75ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5fa63bd7c833344e84ca2174273d35a41
SHA1203a4836f0934749f1fb2e649456f5fdf8f9affd
SHA2567476367ef0e9a4035fd909471a1ee8b90461ffbcbe2bccc69b656c72ab8d1920
SHA512ca87feed02c3ac70fec7eab0fccb787071041de03df5d574db0a95e7076425afa0d2ae75466204527be6395965492f4722a23592480f5ecd84a93febeb905675
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD591adc5ea7b14986a09db64bd90f4d7c2
SHA184e655ef16f5b1efe180023f3fcd4b2051762878
SHA256605378641991d098c12929b08b0e1db2a8d6153e543ae481870ae99a11fdc83f
SHA512307c1c3c9ff1b48b301c00af72ba35e8b31c89c2b8b903e4ac3d831e4fa6e675d8f1016d4d0a583881fdebe05300ebcf955958a81530dee59d35283f405a5d31
-
Filesize
512KB
MD51e38e98602eb90acf499f1b848fb1559
SHA159344651615a7beba281519732bd4398d747e9cb
SHA256d5ae97bc86388d93f50c2a3181f17ead00c6ed79a278c1f77ff9e97756f0ce67
SHA5124801f34ee356c9806891be5bbccd2a9e6d261baf2246bb3cc8f5411c7e6b1431bac283feccaa322f87effbd0c6a8fc86802e02b7071010cb17902bb69d7c7345
-
Filesize
512KB
MD5a57dd889a124f24162c1558a6f090104
SHA1cbef217ad48cbb4fc737d10836820ba73d65db7a
SHA256a8f33c8d27e85dc1c9298bd25a0b5fa857163ce6c1cf048cbef9a4f5116d2d4b
SHA5122019ee38f154e17d0a2bec6b045eb567a4a51b72ba89ca5b7a6c9e853f966e0fcbce981d1d440df24cf86bbb7c1a48fe4325468339919ed8582b4e859b9339f4
-
Filesize
512KB
MD5a23a8f2a6e7d79938f9be36a7cd22883
SHA1589974b4a3d4213f408bf76d9ac2eb733d9f1986
SHA256566f450dea1c8a5fab513c5a06b852549cb582a90d7c3ff0c7874548f5cce2ab
SHA5122c488435505014460708caa06720cbf94f73125aa73bcf61740da241c7f482c2cb0fadb0be173589619fcc4ced8f13d3426e05a0d658ecac5cbfea83e153460b
-
Filesize
512KB
MD5ecfc6797c75acb54f7127ba0ea88cd2b
SHA1502eac7703222c0d258059daa31bb42697049e65
SHA256686e9cb3712ef1031956817d5e39d5146f18b8d6675ef7898a5a777f6e8b8901
SHA512ab08e00ef650889ca582ca565b3cae6dee19f531fd549c4bfc2fcc59acd2ca0bfde1ba29bc93511acc2144e0e8a485ab748f80ce81d0724c3aff313b880e1d2c
-
Filesize
512KB
MD5320d9870dc3a939f84261e9b192bc877
SHA1465c2657fa5dd68d5881f434c0467b8c5ec0f89c
SHA2565c9617fe641659ac61dd83318772b8b1e60daec5ad4da1388d99e0759c0569d0
SHA512912537d1d33cd432def159e1d392a1125a0f233a2e1570f9a233f4133cd0f1cb9505454f048c60817829c1a7b89fc31e24697efd1629c55ec06d58a98aff5ca3
-
Filesize
512KB
MD59de5dee8c29f9bb10c932d5a6b554792
SHA1341ce6ddfe67205fad07b90c909b40f309326c18
SHA2569dcb2400b019a43d77e8a71072d0cb8d724e4bac9187ced5790107d0b4386a9e
SHA51288db4846c71649920dfab9b70f1c23b56fd761744068a9b8c998fa19e12b0ec6c1817a6ec550681643d4aa669aa56459fc8ad2189dad470ab6f3bbabcdd53263
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5ee2a4a886a3441f93317a36ed7891228
SHA183805828e4d1990b1cdfcde6890564117fb19558
SHA2569021c3a50e9a76fe915570c868f9e164e0707d508e1a670733d4afa47fd62dbd
SHA5125fe4324cf46c78d822a9e89748d7d2140ba1d1bc7bdff6430016a0bb2704b819f2f73bd7c1ea2ca1c830c3e54d39d52a594e4f586c5c1e81b31a0857423a64f9
-
Filesize
512KB
MD5b4ebc397c6a220a7a6a2ac85180b6602
SHA135a8e9cb217358e16a368e5f93f49e8340690ab6
SHA256afa12198c2a7d680ae278766ed26fe2aaa2850215774b8d99689d57cc4c27127
SHA5124947630cdd86e28e983e55acd563cd3edaadb25cea64731fd0229f81bd42360ed4262480a8276bc5dcf8c7842ec9efe545bd0d3a38294f178fb153b69d969960