Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
30/04/2024, 09:58
Static task
static1
Behavioral task
behavioral1
Sample
098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe
-
Size
512KB
-
MD5
098f94a702d5b06ec699099985bee13d
-
SHA1
63ee716e024d9e9f4b5445207bb03d04a9730506
-
SHA256
15e03a2b72f9f2814d4d7d18985d0ac76ac3d7b3eabddc73c34d92f8d58ac6e2
-
SHA512
1364b0fc5ee69e1edf7a5501d007f93be4c3d857adc2a6646dd728003f2bfd76fc80d91f35b903601176f3dddcc7552a66bdc85795d5d75948e54f4675f1af6d
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tvbwiqbbjl.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tvbwiqbbjl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tvbwiqbbjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tvbwiqbbjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tvbwiqbbjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tvbwiqbbjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tvbwiqbbjl.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tvbwiqbbjl.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4376 tvbwiqbbjl.exe 4156 dzidwuoufcszwsj.exe 3888 zlqnymkl.exe 512 gerzbazxwojwv.exe 4772 zlqnymkl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tvbwiqbbjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tvbwiqbbjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tvbwiqbbjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tvbwiqbbjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tvbwiqbbjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tvbwiqbbjl.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eixtrnnb = "tvbwiqbbjl.exe" dzidwuoufcszwsj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zpxqryap = "dzidwuoufcszwsj.exe" dzidwuoufcszwsj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "gerzbazxwojwv.exe" dzidwuoufcszwsj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\t: tvbwiqbbjl.exe File opened (read-only) \??\a: zlqnymkl.exe File opened (read-only) \??\s: zlqnymkl.exe File opened (read-only) \??\v: zlqnymkl.exe File opened (read-only) \??\b: zlqnymkl.exe File opened (read-only) \??\w: zlqnymkl.exe File opened (read-only) \??\j: tvbwiqbbjl.exe File opened (read-only) \??\o: zlqnymkl.exe File opened (read-only) \??\i: tvbwiqbbjl.exe File opened (read-only) \??\l: tvbwiqbbjl.exe File opened (read-only) \??\x: tvbwiqbbjl.exe File opened (read-only) \??\s: zlqnymkl.exe File opened (read-only) \??\k: tvbwiqbbjl.exe File opened (read-only) \??\s: tvbwiqbbjl.exe File opened (read-only) \??\g: zlqnymkl.exe File opened (read-only) \??\h: zlqnymkl.exe File opened (read-only) \??\q: tvbwiqbbjl.exe File opened (read-only) \??\w: tvbwiqbbjl.exe File opened (read-only) \??\y: tvbwiqbbjl.exe File opened (read-only) \??\m: zlqnymkl.exe File opened (read-only) \??\n: zlqnymkl.exe File opened (read-only) \??\a: zlqnymkl.exe File opened (read-only) \??\e: zlqnymkl.exe File opened (read-only) \??\t: zlqnymkl.exe File opened (read-only) \??\u: tvbwiqbbjl.exe File opened (read-only) \??\o: zlqnymkl.exe File opened (read-only) \??\p: zlqnymkl.exe File opened (read-only) \??\m: zlqnymkl.exe File opened (read-only) \??\p: tvbwiqbbjl.exe File opened (read-only) \??\e: zlqnymkl.exe File opened (read-only) \??\x: zlqnymkl.exe File opened (read-only) \??\u: zlqnymkl.exe File opened (read-only) \??\b: zlqnymkl.exe File opened (read-only) \??\k: zlqnymkl.exe File opened (read-only) \??\i: zlqnymkl.exe File opened (read-only) \??\q: zlqnymkl.exe File opened (read-only) \??\y: zlqnymkl.exe File opened (read-only) \??\g: zlqnymkl.exe File opened (read-only) \??\t: zlqnymkl.exe File opened (read-only) \??\y: zlqnymkl.exe File opened (read-only) \??\p: zlqnymkl.exe File opened (read-only) \??\b: tvbwiqbbjl.exe File opened (read-only) \??\m: tvbwiqbbjl.exe File opened (read-only) \??\w: zlqnymkl.exe File opened (read-only) \??\z: tvbwiqbbjl.exe File opened (read-only) \??\i: zlqnymkl.exe File opened (read-only) \??\u: zlqnymkl.exe File opened (read-only) \??\n: tvbwiqbbjl.exe File opened (read-only) \??\e: tvbwiqbbjl.exe File opened (read-only) \??\n: zlqnymkl.exe File opened (read-only) \??\r: zlqnymkl.exe File opened (read-only) \??\a: tvbwiqbbjl.exe File opened (read-only) \??\z: zlqnymkl.exe File opened (read-only) \??\g: tvbwiqbbjl.exe File opened (read-only) \??\o: tvbwiqbbjl.exe File opened (read-only) \??\r: tvbwiqbbjl.exe File opened (read-only) \??\h: zlqnymkl.exe File opened (read-only) \??\l: zlqnymkl.exe File opened (read-only) \??\r: zlqnymkl.exe File opened (read-only) \??\z: zlqnymkl.exe File opened (read-only) \??\j: zlqnymkl.exe File opened (read-only) \??\k: zlqnymkl.exe File opened (read-only) \??\x: zlqnymkl.exe File opened (read-only) \??\v: tvbwiqbbjl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tvbwiqbbjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tvbwiqbbjl.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/552-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000a000000023b89-5.dat autoit_exe behavioral2/files/0x000b000000023b85-18.dat autoit_exe behavioral2/files/0x000a000000023b8a-26.dat autoit_exe behavioral2/files/0x000a000000023b8b-32.dat autoit_exe behavioral2/files/0x000a000000023b99-69.dat autoit_exe behavioral2/files/0x000a000000023b99-72.dat autoit_exe behavioral2/files/0x00030000000232ad-80.dat autoit_exe behavioral2/files/0x000a000000023ba3-98.dat autoit_exe behavioral2/files/0x000a000000023ba3-472.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tvbwiqbbjl.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zlqnymkl.exe File created C:\Windows\SysWOW64\tvbwiqbbjl.exe 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tvbwiqbbjl.exe 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe File created C:\Windows\SysWOW64\dzidwuoufcszwsj.exe 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe File created C:\Windows\SysWOW64\zlqnymkl.exe 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zlqnymkl.exe 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gerzbazxwojwv.exe 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zlqnymkl.exe File opened for modification C:\Windows\SysWOW64\dzidwuoufcszwsj.exe 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe File created C:\Windows\SysWOW64\gerzbazxwojwv.exe 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zlqnymkl.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zlqnymkl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zlqnymkl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zlqnymkl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zlqnymkl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zlqnymkl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zlqnymkl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zlqnymkl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zlqnymkl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zlqnymkl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zlqnymkl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zlqnymkl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zlqnymkl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zlqnymkl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zlqnymkl.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zlqnymkl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zlqnymkl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zlqnymkl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zlqnymkl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zlqnymkl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zlqnymkl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zlqnymkl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zlqnymkl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zlqnymkl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zlqnymkl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zlqnymkl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zlqnymkl.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zlqnymkl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zlqnymkl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zlqnymkl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zlqnymkl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F46BC3FF6C22DCD172D0A08A0C9113" 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" tvbwiqbbjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf tvbwiqbbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472D7E9C5282586A3577D170242CDC7D8464AC" 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8FFF824F5D821B9141D75F7EE6BCE5E635593167366242D6E9" 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" tvbwiqbbjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg tvbwiqbbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" tvbwiqbbjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc tvbwiqbbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tvbwiqbbjl.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8F9BEF964F1E2840C3A4486ED3E94B089028C42120233E2C9459C08A0" 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC70E1493DBC5B9BD7F92ED9F37C9" 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat tvbwiqbbjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh tvbwiqbbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B15F44EF39EC52BEBAA6329ED7CA" 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" tvbwiqbbjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs tvbwiqbbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" tvbwiqbbjl.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4980 WINWORD.EXE 4980 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 4156 dzidwuoufcszwsj.exe 4156 dzidwuoufcszwsj.exe 4156 dzidwuoufcszwsj.exe 4156 dzidwuoufcszwsj.exe 4156 dzidwuoufcszwsj.exe 4156 dzidwuoufcszwsj.exe 4156 dzidwuoufcszwsj.exe 4156 dzidwuoufcszwsj.exe 4156 dzidwuoufcszwsj.exe 4156 dzidwuoufcszwsj.exe 4376 tvbwiqbbjl.exe 4376 tvbwiqbbjl.exe 4376 tvbwiqbbjl.exe 4376 tvbwiqbbjl.exe 4376 tvbwiqbbjl.exe 4376 tvbwiqbbjl.exe 4376 tvbwiqbbjl.exe 4376 tvbwiqbbjl.exe 4376 tvbwiqbbjl.exe 4376 tvbwiqbbjl.exe 3888 zlqnymkl.exe 3888 zlqnymkl.exe 3888 zlqnymkl.exe 3888 zlqnymkl.exe 3888 zlqnymkl.exe 3888 zlqnymkl.exe 3888 zlqnymkl.exe 3888 zlqnymkl.exe 512 gerzbazxwojwv.exe 512 gerzbazxwojwv.exe 512 gerzbazxwojwv.exe 512 gerzbazxwojwv.exe 512 gerzbazxwojwv.exe 512 gerzbazxwojwv.exe 512 gerzbazxwojwv.exe 512 gerzbazxwojwv.exe 512 gerzbazxwojwv.exe 512 gerzbazxwojwv.exe 512 gerzbazxwojwv.exe 512 gerzbazxwojwv.exe 4156 dzidwuoufcszwsj.exe 4156 dzidwuoufcszwsj.exe 4772 zlqnymkl.exe 4772 zlqnymkl.exe 4772 zlqnymkl.exe 4772 zlqnymkl.exe 4772 zlqnymkl.exe 4772 zlqnymkl.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 4156 dzidwuoufcszwsj.exe 4156 dzidwuoufcszwsj.exe 4156 dzidwuoufcszwsj.exe 4376 tvbwiqbbjl.exe 3888 zlqnymkl.exe 4376 tvbwiqbbjl.exe 512 gerzbazxwojwv.exe 3888 zlqnymkl.exe 4376 tvbwiqbbjl.exe 3888 zlqnymkl.exe 512 gerzbazxwojwv.exe 512 gerzbazxwojwv.exe 4772 zlqnymkl.exe 4772 zlqnymkl.exe 4772 zlqnymkl.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 4156 dzidwuoufcszwsj.exe 4156 dzidwuoufcszwsj.exe 4156 dzidwuoufcszwsj.exe 4376 tvbwiqbbjl.exe 3888 zlqnymkl.exe 4376 tvbwiqbbjl.exe 3888 zlqnymkl.exe 512 gerzbazxwojwv.exe 4376 tvbwiqbbjl.exe 3888 zlqnymkl.exe 512 gerzbazxwojwv.exe 512 gerzbazxwojwv.exe 4772 zlqnymkl.exe 4772 zlqnymkl.exe 4772 zlqnymkl.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4980 WINWORD.EXE 4980 WINWORD.EXE 4980 WINWORD.EXE 4980 WINWORD.EXE 4980 WINWORD.EXE 4980 WINWORD.EXE 4980 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 552 wrote to memory of 4376 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 84 PID 552 wrote to memory of 4376 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 84 PID 552 wrote to memory of 4376 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 84 PID 552 wrote to memory of 4156 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 85 PID 552 wrote to memory of 4156 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 85 PID 552 wrote to memory of 4156 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 85 PID 552 wrote to memory of 3888 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 86 PID 552 wrote to memory of 3888 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 86 PID 552 wrote to memory of 3888 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 86 PID 552 wrote to memory of 512 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 87 PID 552 wrote to memory of 512 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 87 PID 552 wrote to memory of 512 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 87 PID 552 wrote to memory of 4980 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 88 PID 552 wrote to memory of 4980 552 098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe 88 PID 4376 wrote to memory of 4772 4376 tvbwiqbbjl.exe 90 PID 4376 wrote to memory of 4772 4376 tvbwiqbbjl.exe 90 PID 4376 wrote to memory of 4772 4376 tvbwiqbbjl.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\tvbwiqbbjl.exetvbwiqbbjl.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\zlqnymkl.exeC:\Windows\system32\zlqnymkl.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4772
-
-
-
C:\Windows\SysWOW64\dzidwuoufcszwsj.exedzidwuoufcszwsj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4156
-
-
C:\Windows\SysWOW64\zlqnymkl.exezlqnymkl.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3888
-
-
C:\Windows\SysWOW64\gerzbazxwojwv.exegerzbazxwojwv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:512
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4980
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5209400861ac065c818c3dd9a69232171
SHA1ae632144101c444c50e6c891e502ecac295b96f5
SHA256a8c6a884f594daa9d711b242fac3f33cd75de3a6e535a78719abbf7922e545b8
SHA512c2872fda92314c058e3fe64dc5263418b5d8eb1cd73976c69e35327a655c54447484bcc938df6033a659f6e7c796fcdbdc9b9e3a654719b7fec5b2a362bd0ea5
-
Filesize
512KB
MD541929e56987a4163d359730aad8101e5
SHA1db4d57b65cf212465df9a0cddc0ee11049dbf7df
SHA2569d9bb3c8d2fc8c37f13e10f0a2723d67e1858fb427829edeead1995010b77fd4
SHA512786696beb537fe458a81726d60b2beb2a8595e962fd106460db1fc05cadccb5ef32daacbf034d6e7a916d3c4395362d06d34c2a6e3f263a884efcd19dea2df1c
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
239B
MD54e2ddddec076ae1469fea38bbe9fe5be
SHA1d5da2e049613ac4ac0e01e174b7a3e8cb3aae67e
SHA256a163003ab9fbee533ddc28e1ff24424388871bccb0495a73b29c33def5f5a197
SHA5121ef1a7dee8b68f56fd6515c211c02bd9e27c00fdfedd07a82f57827be5195e4a5f21d630f87a91b43a58a52d7b5fd86a7d044f8daa5c90cd57bae0921953e896
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD58957b68379d75a79afae7d43195e06fd
SHA15827a33953f8c112066fae2e1f14609d0c1a1769
SHA256186b842c3382c9adcd0d71b17a7428be355ffb6007fd08084a25b45425b60907
SHA5123376e383f63590253c3f4c56b592dd75f01ab4cfe6873889471f6115b7dcbc54434f59b0da121bb1b098161bcfb5c369c7c01c2e12bb95ddf579ebc4b0dfcea7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD532a1659a840f257dad91d366ab5e4f2c
SHA1f67ec46e15249762dcfeaf6b87337aa834f53db2
SHA2560fc499cda666434b6e0cc364c55860c5631e94b4a6d3a8904111652e5de3a31e
SHA5129d54d62d244fbefe74f4c4958fe302e9105bc9be290edb41e7d4cafb9d8b9a6dbac4f70bcce2286b52e20bbb54085595e43edb58c49026d3129cffb5330f922c
-
Filesize
512KB
MD533892936b6ebabbcca9ecc65827d7a98
SHA156e308f0eecd99fa295a6b631925f08c9235769f
SHA256925230e70d2d785e405f29ebf397e9fec6da2537bafa9473edbd89279a529ce6
SHA512c383f0e388b5f630b73959242fb9849bfba4af82fbb82292c683ef3b057ce666ab5b37d5029a5bf9e1bc8daf56b47d6f74f955efcfe5e87abaa200185842f7ef
-
Filesize
512KB
MD5279568b7952d7599cc741574168cecfb
SHA1c9eaa13701f9a120780eabcc844814624226acfb
SHA256d73d1533ef6bda9a921a9c1afa04a234774444165504bdc20d9748e3a7e6f57a
SHA512e8712a80f95aa1d8a5e177a941ebd4ad2f8d58b59da8c97da4204936e99ab6ad8340006ba7531ad554e3317429a9bb27b914e8074047c5f42dcb3b247be3fe24
-
Filesize
512KB
MD5829157b7b39b90a33809b0b9d936f298
SHA110385a49510fcdeb099663b9bc264c00df797295
SHA2563b1d6360ea56c5413ad2820f02904bc5a31f1973e73413af0e2258c3c631c9d3
SHA51202509636872eb27970d5eedafb232cd7eb53f916e9092a342dbcd2e00c82b77120ee09cade521cd57454a267ccd26837388985310d6aef160a2a029b427e3990
-
Filesize
512KB
MD5fe2d4b02a18e14787ec4a34a9686ea50
SHA1ab9d4bf5001ab3139ed3528dfa82378008ff44ff
SHA2560dc12927de5cf79e1409426654a3ec741733ebd2788618f12851007e1979f9ce
SHA512004ad1f795ce8abeeb32c15a430f112b5aac346a9756a45de30fa694b35d0087fb37419fa514284056ece497479d475298e85e4e742282d1801f1c68cfd39d07
-
Filesize
512KB
MD5992fbbdfe87192e81ff4bce1d3b7bbb0
SHA1c8115fa53ae8ba6738cf1ae85cfe677b5752bf54
SHA256f7e9bb535e53f602500977ac26bcdec710ebd1d60f5d0d62bebd32b8b8ca786f
SHA51234f3fecc667fe0ffa6dad7682c80e492dd9dacbd22a43948263e3d7574542173e47a2d57d2c9e5264581ebeb8961cd839314bc8192b3b97309e782c021411155
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD513634751c18034b4c60ee8d16b8e521d
SHA16036f592b5f976aee04ccc093b2f9f7a4b7d64df
SHA256f786b9ea4f137bb8ec4e9b2263e531591c41ba2d893ba5acad6b34b01533cb6d
SHA5123a59563225af23f0db3fb9d75bce769ba68575ec3e9a74e08ec8dbf7cff2a685e6c67bc97a44507f040c4f90b936f66dd2086cf72c3b1944effe5b8ee95f1f4f
-
Filesize
512KB
MD556a016e803e5c8ec0ad73bd6f1784401
SHA13b9201989435eba256e72cb556dfe40c7c22cb8b
SHA256078abc943ef8a233b8300d143e41e8045550344401ef6e66de42b3698a235532
SHA5126d613662ef4d0eb82bf250308a29a04fbd76c1c3f49736516b284d55ba2a0a78921a59c9861d2e630271ef32939793619d04d7077f67908cc5f62c029543182d