Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
29/04/2024, 08:16
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
0735fe97a869d158d178917687cba38b_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
0735fe97a869d158d178917687cba38b_JaffaCakes118.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
0735fe97a869d158d178917687cba38b_JaffaCakes118.exe
-
Size
512KB
-
MD5
0735fe97a869d158d178917687cba38b
-
SHA1
255a1bc0456365e8bf1382cd4e59c938eeffa9b9
-
SHA256
2ce93a0ce28c4e7aa1e970b3880e057842e3dd19135ca7124eae8e86088813a9
-
SHA512
b141d76e6da578edf8f10357a9d66e0eb7e6fc7d2c6d5fc9884b7589af4974dbac9490a930d25568766327828e8d35132ce6bb05c04e36a731061215564056ab
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6f:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm54
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bbuyqnchsv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bbuyqnchsv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bbuyqnchsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bbuyqnchsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bbuyqnchsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bbuyqnchsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bbuyqnchsv.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bbuyqnchsv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3736 bbuyqnchsv.exe 588 dkcyhcbeckowiln.exe 3928 vdajiaep.exe 1384 ywafazpmszzra.exe 1652 vdajiaep.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bbuyqnchsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bbuyqnchsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bbuyqnchsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bbuyqnchsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" bbuyqnchsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bbuyqnchsv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wqljbidl = "bbuyqnchsv.exe" dkcyhcbeckowiln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bzrtjjmn = "dkcyhcbeckowiln.exe" dkcyhcbeckowiln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ywafazpmszzra.exe" dkcyhcbeckowiln.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: vdajiaep.exe File opened (read-only) \??\p: vdajiaep.exe File opened (read-only) \??\q: vdajiaep.exe File opened (read-only) \??\y: bbuyqnchsv.exe File opened (read-only) \??\m: bbuyqnchsv.exe File opened (read-only) \??\l: vdajiaep.exe File opened (read-only) \??\m: vdajiaep.exe File opened (read-only) \??\p: vdajiaep.exe File opened (read-only) \??\z: vdajiaep.exe File opened (read-only) \??\z: bbuyqnchsv.exe File opened (read-only) \??\k: vdajiaep.exe File opened (read-only) \??\w: vdajiaep.exe File opened (read-only) \??\b: vdajiaep.exe File opened (read-only) \??\s: vdajiaep.exe File opened (read-only) \??\a: vdajiaep.exe File opened (read-only) \??\e: vdajiaep.exe File opened (read-only) \??\g: vdajiaep.exe File opened (read-only) \??\j: vdajiaep.exe File opened (read-only) \??\l: vdajiaep.exe File opened (read-only) \??\m: vdajiaep.exe File opened (read-only) \??\p: bbuyqnchsv.exe File opened (read-only) \??\s: bbuyqnchsv.exe File opened (read-only) \??\w: bbuyqnchsv.exe File opened (read-only) \??\x: bbuyqnchsv.exe File opened (read-only) \??\x: vdajiaep.exe File opened (read-only) \??\g: vdajiaep.exe File opened (read-only) \??\h: vdajiaep.exe File opened (read-only) \??\k: vdajiaep.exe File opened (read-only) \??\u: vdajiaep.exe File opened (read-only) \??\y: vdajiaep.exe File opened (read-only) \??\u: vdajiaep.exe File opened (read-only) \??\t: vdajiaep.exe File opened (read-only) \??\x: vdajiaep.exe File opened (read-only) \??\j: bbuyqnchsv.exe File opened (read-only) \??\l: bbuyqnchsv.exe File opened (read-only) \??\r: bbuyqnchsv.exe File opened (read-only) \??\u: bbuyqnchsv.exe File opened (read-only) \??\e: vdajiaep.exe File opened (read-only) \??\e: bbuyqnchsv.exe File opened (read-only) \??\v: vdajiaep.exe File opened (read-only) \??\i: vdajiaep.exe File opened (read-only) \??\n: vdajiaep.exe File opened (read-only) \??\i: bbuyqnchsv.exe File opened (read-only) \??\k: bbuyqnchsv.exe File opened (read-only) \??\n: bbuyqnchsv.exe File opened (read-only) \??\o: vdajiaep.exe File opened (read-only) \??\t: vdajiaep.exe File opened (read-only) \??\q: vdajiaep.exe File opened (read-only) \??\w: vdajiaep.exe File opened (read-only) \??\z: vdajiaep.exe File opened (read-only) \??\a: bbuyqnchsv.exe File opened (read-only) \??\h: bbuyqnchsv.exe File opened (read-only) \??\t: bbuyqnchsv.exe File opened (read-only) \??\r: vdajiaep.exe File opened (read-only) \??\j: vdajiaep.exe File opened (read-only) \??\o: vdajiaep.exe File opened (read-only) \??\o: bbuyqnchsv.exe File opened (read-only) \??\b: vdajiaep.exe File opened (read-only) \??\i: vdajiaep.exe File opened (read-only) \??\b: bbuyqnchsv.exe File opened (read-only) \??\g: bbuyqnchsv.exe File opened (read-only) \??\q: bbuyqnchsv.exe File opened (read-only) \??\v: bbuyqnchsv.exe File opened (read-only) \??\h: vdajiaep.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" bbuyqnchsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" bbuyqnchsv.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1580-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000a000000023b83-5.dat autoit_exe behavioral2/files/0x000b000000023b7f-19.dat autoit_exe behavioral2/files/0x000a000000023b84-26.dat autoit_exe behavioral2/files/0x000a000000023b85-32.dat autoit_exe behavioral2/files/0x000a000000023b90-56.dat autoit_exe behavioral2/files/0x000a000000023b91-64.dat autoit_exe behavioral2/files/0x000300000002355e-67.dat autoit_exe behavioral2/files/0x00030000000229c5-87.dat autoit_exe behavioral2/files/0x00030000000229c5-89.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\dkcyhcbeckowiln.exe 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe File created C:\Windows\SysWOW64\vdajiaep.exe 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bbuyqnchsv.exe 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe File created C:\Windows\SysWOW64\ywafazpmszzra.exe 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vdajiaep.exe File created C:\Windows\SysWOW64\bbuyqnchsv.exe 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dkcyhcbeckowiln.exe 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bbuyqnchsv.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vdajiaep.exe File opened for modification C:\Windows\SysWOW64\vdajiaep.exe 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ywafazpmszzra.exe 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vdajiaep.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vdajiaep.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vdajiaep.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vdajiaep.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vdajiaep.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vdajiaep.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vdajiaep.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vdajiaep.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vdajiaep.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vdajiaep.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vdajiaep.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vdajiaep.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vdajiaep.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vdajiaep.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vdajiaep.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vdajiaep.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vdajiaep.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vdajiaep.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vdajiaep.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vdajiaep.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vdajiaep.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vdajiaep.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vdajiaep.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vdajiaep.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vdajiaep.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vdajiaep.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vdajiaep.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vdajiaep.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vdajiaep.exe File opened for modification C:\Windows\mydoc.rtf 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vdajiaep.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vdajiaep.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vdajiaep.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vdajiaep.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" bbuyqnchsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh bbuyqnchsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc bbuyqnchsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf bbuyqnchsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs bbuyqnchsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" bbuyqnchsv.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8FABFF911F29083783B4286993994B08C02FF4367023EE1BE42EC08A4" 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B12E47EF39E853BEBAD332E9D4BF" 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FCFB485885689140D62D7E95BDE0E631583666366245D7EC" 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1839C77B14E0DBBFB8CE7C97ED9334C7" 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" bbuyqnchsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bbuyqnchsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412C7A9D2C82566D4676A570252CD67CF665DF" 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F668B4FE6821A9D272D0A78A7D9166" 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" bbuyqnchsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" bbuyqnchsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg bbuyqnchsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat bbuyqnchsv.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2220 WINWORD.EXE 2220 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 3736 bbuyqnchsv.exe 3736 bbuyqnchsv.exe 3736 bbuyqnchsv.exe 3736 bbuyqnchsv.exe 3736 bbuyqnchsv.exe 3736 bbuyqnchsv.exe 3736 bbuyqnchsv.exe 3736 bbuyqnchsv.exe 3736 bbuyqnchsv.exe 3736 bbuyqnchsv.exe 588 dkcyhcbeckowiln.exe 588 dkcyhcbeckowiln.exe 588 dkcyhcbeckowiln.exe 588 dkcyhcbeckowiln.exe 588 dkcyhcbeckowiln.exe 588 dkcyhcbeckowiln.exe 588 dkcyhcbeckowiln.exe 588 dkcyhcbeckowiln.exe 3928 vdajiaep.exe 3928 vdajiaep.exe 3928 vdajiaep.exe 3928 vdajiaep.exe 3928 vdajiaep.exe 3928 vdajiaep.exe 3928 vdajiaep.exe 3928 vdajiaep.exe 588 dkcyhcbeckowiln.exe 588 dkcyhcbeckowiln.exe 1384 ywafazpmszzra.exe 1384 ywafazpmszzra.exe 1384 ywafazpmszzra.exe 1384 ywafazpmszzra.exe 1384 ywafazpmszzra.exe 1384 ywafazpmszzra.exe 1384 ywafazpmszzra.exe 1384 ywafazpmszzra.exe 1384 ywafazpmszzra.exe 1384 ywafazpmszzra.exe 1384 ywafazpmszzra.exe 1384 ywafazpmszzra.exe 1652 vdajiaep.exe 1652 vdajiaep.exe 1652 vdajiaep.exe 1652 vdajiaep.exe 1652 vdajiaep.exe 1652 vdajiaep.exe 1652 vdajiaep.exe 1652 vdajiaep.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 3736 bbuyqnchsv.exe 3736 bbuyqnchsv.exe 3736 bbuyqnchsv.exe 588 dkcyhcbeckowiln.exe 3928 vdajiaep.exe 588 dkcyhcbeckowiln.exe 3928 vdajiaep.exe 3928 vdajiaep.exe 588 dkcyhcbeckowiln.exe 1384 ywafazpmszzra.exe 1384 ywafazpmszzra.exe 1384 ywafazpmszzra.exe 1652 vdajiaep.exe 1652 vdajiaep.exe 1652 vdajiaep.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 3736 bbuyqnchsv.exe 3736 bbuyqnchsv.exe 3736 bbuyqnchsv.exe 588 dkcyhcbeckowiln.exe 3928 vdajiaep.exe 588 dkcyhcbeckowiln.exe 3928 vdajiaep.exe 3928 vdajiaep.exe 588 dkcyhcbeckowiln.exe 1384 ywafazpmszzra.exe 1384 ywafazpmszzra.exe 1384 ywafazpmszzra.exe 1652 vdajiaep.exe 1652 vdajiaep.exe 1652 vdajiaep.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2220 WINWORD.EXE 2220 WINWORD.EXE 2220 WINWORD.EXE 2220 WINWORD.EXE 2220 WINWORD.EXE 2220 WINWORD.EXE 2220 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1580 wrote to memory of 3736 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 83 PID 1580 wrote to memory of 3736 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 83 PID 1580 wrote to memory of 3736 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 83 PID 1580 wrote to memory of 588 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 84 PID 1580 wrote to memory of 588 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 84 PID 1580 wrote to memory of 588 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 84 PID 1580 wrote to memory of 3928 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 85 PID 1580 wrote to memory of 3928 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 85 PID 1580 wrote to memory of 3928 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 85 PID 1580 wrote to memory of 1384 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 86 PID 1580 wrote to memory of 1384 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 86 PID 1580 wrote to memory of 1384 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 86 PID 1580 wrote to memory of 2220 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 87 PID 1580 wrote to memory of 2220 1580 0735fe97a869d158d178917687cba38b_JaffaCakes118.exe 87 PID 3736 wrote to memory of 1652 3736 bbuyqnchsv.exe 89 PID 3736 wrote to memory of 1652 3736 bbuyqnchsv.exe 89 PID 3736 wrote to memory of 1652 3736 bbuyqnchsv.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\0735fe97a869d158d178917687cba38b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0735fe97a869d158d178917687cba38b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\bbuyqnchsv.exebbuyqnchsv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\vdajiaep.exeC:\Windows\system32\vdajiaep.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1652
-
-
-
C:\Windows\SysWOW64\dkcyhcbeckowiln.exedkcyhcbeckowiln.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:588
-
-
C:\Windows\SysWOW64\vdajiaep.exevdajiaep.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3928
-
-
C:\Windows\SysWOW64\ywafazpmszzra.exeywafazpmszzra.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1384
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2220
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD56917496186b94edae8ac523bb306541a
SHA1d34dd63d9146fe2ebe77c2e2c3ddd28ca15c867b
SHA256f5e7a6ebd632b76e42a3e89e835e01ffa46f720903cbe9759025949a8ee8f402
SHA512a957282d1ccf8fb83ba9a03fa7b57763240f90107246ddac1e51ace14f062d206ad57ab2e067cd8269f6ce40e189f244c10efce7f5e9c037ad23e1600ba41b2c
-
Filesize
512KB
MD525d2c2d40a2a7cdecf8e573c058b0ed4
SHA15d0605582d3a21d687a5c9ceac113a436b87c1e5
SHA256b7d9953ba763abcaaa12a843b59a5caf2bef9aa019cad8204a30cdf0cc7d85b2
SHA512f7239da4fe54e5fc154fbe62dfa6ca302d764722a92d839f70b2208f2498820dc16c1b3ebc2aa1db4afd9a3657c88f93cdbdb99bf3ab1bb73b58c167a05b2088
-
Filesize
239B
MD529c06012a024bb04d9da99412a6dec90
SHA1b4bda8f492bed71799b96b43470cb65e724d9f6b
SHA256fc8dc7b910e0f95654329a7cfd24b231b530136b7888b55a12e4a9cfc204f067
SHA51275fab3d4e514be28b392609bca2744702ea4090bf14e96643d8536e22b49dff7c43c4d1bf420499064ac56d67e60a29cfe7de68bb28116af62bb7c7cab1ec88f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5794402d961678dcbf09b3fc3f7fea2b8
SHA185d3efeefbde7d41eee2a2b91bb5b3e48d3892d4
SHA256eb51ac502e2b7d538934e5e1c1f6f1aefe9cf29f734a03ad98f9db0ab73b5b4f
SHA5128b63f4dab11f14565baa459aeb91b983758857158c61b3c6d8330686963b89a48e52a70df9b987a3e81e6db1b240465315fb492b31b6034cc6be9cb0e75f678e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD54d59751bcfae7541ccc27c81921904b9
SHA12d9e4f419c3e5d675ff16a42d1b53cd5d76a72a2
SHA2568e60cf01732436406acadb6cb372fb180de9263e63772efc1f7454f2294bbac0
SHA51276808b6dd433beb637bafc839654d4794ae9330f500a3d64164646f752a9071d7308f6af3b54ba8563d89e3fec52e23909d30f5dfe8a6e3f7cd54d902afeffe9
-
Filesize
512KB
MD5de4eb06ce54d3a29edfe93bf1a04adce
SHA178c2e9c0fdbd30f2288d98d0f992856b166ee9fb
SHA2560335f12004b717e1e9a368f9b864333b118697b2aef5f52004331df62ba915fd
SHA512a5f1166f30e9dc91edb8c6942912ea16d3f7ba949f8a9599c091f9ac9515e542188891ad7d80d00671c4f65ce1794a616e5119282998594f6a361d3c802ea37e
-
Filesize
512KB
MD5f6ea3e908fe1f94e656806f7206ce28b
SHA10217dfba84ca7eb13b5c9469e492029bbf161a2b
SHA25603bad5509c656c5cd86d82d4f8281fd68c4c3d1b0fb9ea784d863529f9679672
SHA51290e8ef388cf0a7a76a39eb043cf0ec24c326a2d05a28ef91337eb0ba25c89b800d199eff3f173d9dfe2fc718b43240192f58373e271ab4f16f29a7d5ced46c22
-
Filesize
512KB
MD584b63ccf2f87936bf80b241e232c8e4a
SHA18cfd8792dc4f7954a9bc60a64eda9e5a622d7684
SHA256fc8e6fc781f6cd4f9476d30c9d935c429a2bd95e7659d96f000c6df6ebc49fa7
SHA51284481adff3906436c15c14398215fd44c8e81343c7c758ce57383132841f5d790f20d51d4ca6ff06c3a46d23fe2736b2d8473b72c98bf7ee0f5f56c89a60185a
-
Filesize
512KB
MD5e3c0d224f095367449ff9589902172b5
SHA168fd6a2db616655b0b88a3f277489be8c64957a9
SHA256a3d3c509fbec6a25a122541c8b3e5431e60547eacf98ff089417aba056a8ed6a
SHA51290a108d08529744ff9e3f2b47b7d451d3f1ab5a788eb4dd30aaa5b1543a59680c3bbc1e0bd7381e389187fcfea1f4e61b38cc0dbc71c0e727adf5f026151bb33
-
Filesize
512KB
MD596428057acf0789816ed91bb491a7186
SHA19260d2fc1eaf4e7c57d8f810c34ca6325637a56e
SHA256a3f38df374a00eaef9b5ef6dbb4f189d22b0e9b9518a52b4a44231c70c10cf22
SHA512c1f54842b2b23bfc08a4ac3908919216cc81ffe74771dbf5a6d176d22e72c5f7709ed1ae80658199aabcd3d1f5536d99c505af2843cce8db4323aad9ffc543d0
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5c24b9e283ce49c2a02b37237a0bb6e0c
SHA1befd080914a9eb34f03a40878bd5da9d478f2853
SHA2564bcbea967e6d0a8d6ea59de62bbf03b18845c0f1ae6d659eb3607b70a8dbb9b8
SHA5125f578880f0ef6d7464a1ae4d3047a3ec14c694d15d749fa51097dd7459af0af20ac5107066ff6e607f85a9050571677eee1593f8f5f7c98e3bcff066d7216d18
-
Filesize
512KB
MD585d43f37db777a9e14cacd3191c53c05
SHA1143f1db173441efd106285d0d321bb069bfa1252
SHA2568b551b33194de7b2b8ca5535e2ed3823a74d44a6a25e6e8e8a5e9ac97c5026e4
SHA51290b1fa14d119ebc7dcfe27731064b0f8b28c23e50ce7a3b2dc6911d36b27f46dab07d84a1b310e4b9d28e738fcf72f3fa5269cb0e24eab8a1cf93dcfcbaae2b7