Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2024, 17:11
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe
-
Size
512KB
-
MD5
0c5cd0f718c434c0f6a1355ec78cc043
-
SHA1
aaf1646abd4b922e8732eaece2d1acd9eb9aa39f
-
SHA256
13d6d1c77f9af1e559a46e2dbe55f647b1caf79ab86b56753a03c85c42944177
-
SHA512
20272d25cf4d224d4911fd7506cc18eb9aed1cb77515b1d3e2456f9190ceb422ad78787e8af73ec3413e8ff151f366562976ff88ff9fb5fdd07cfc4c53205f2f
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6T:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5G
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bgufebzvfd.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bgufebzvfd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bgufebzvfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bgufebzvfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bgufebzvfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bgufebzvfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bgufebzvfd.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bgufebzvfd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4604 bgufebzvfd.exe 4136 rixqncdccetdurp.exe 3992 sdtwgkmy.exe 2460 uzgthqnvxicyc.exe 3636 sdtwgkmy.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bgufebzvfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bgufebzvfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bgufebzvfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" bgufebzvfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bgufebzvfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bgufebzvfd.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vkxvoxyw = "bgufebzvfd.exe" rixqncdccetdurp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kfdkvjlf = "rixqncdccetdurp.exe" rixqncdccetdurp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "uzgthqnvxicyc.exe" rixqncdccetdurp.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: bgufebzvfd.exe File opened (read-only) \??\g: sdtwgkmy.exe File opened (read-only) \??\g: bgufebzvfd.exe File opened (read-only) \??\j: sdtwgkmy.exe File opened (read-only) \??\v: sdtwgkmy.exe File opened (read-only) \??\w: sdtwgkmy.exe File opened (read-only) \??\w: bgufebzvfd.exe File opened (read-only) \??\p: sdtwgkmy.exe File opened (read-only) \??\q: sdtwgkmy.exe File opened (read-only) \??\e: sdtwgkmy.exe File opened (read-only) \??\m: sdtwgkmy.exe File opened (read-only) \??\z: sdtwgkmy.exe File opened (read-only) \??\y: sdtwgkmy.exe File opened (read-only) \??\z: sdtwgkmy.exe File opened (read-only) \??\x: bgufebzvfd.exe File opened (read-only) \??\l: sdtwgkmy.exe File opened (read-only) \??\a: sdtwgkmy.exe File opened (read-only) \??\i: sdtwgkmy.exe File opened (read-only) \??\k: sdtwgkmy.exe File opened (read-only) \??\r: bgufebzvfd.exe File opened (read-only) \??\s: bgufebzvfd.exe File opened (read-only) \??\h: sdtwgkmy.exe File opened (read-only) \??\o: sdtwgkmy.exe File opened (read-only) \??\b: sdtwgkmy.exe File opened (read-only) \??\r: sdtwgkmy.exe File opened (read-only) \??\s: sdtwgkmy.exe File opened (read-only) \??\e: bgufebzvfd.exe File opened (read-only) \??\h: bgufebzvfd.exe File opened (read-only) \??\m: bgufebzvfd.exe File opened (read-only) \??\o: bgufebzvfd.exe File opened (read-only) \??\n: sdtwgkmy.exe File opened (read-only) \??\i: bgufebzvfd.exe File opened (read-only) \??\e: sdtwgkmy.exe File opened (read-only) \??\i: sdtwgkmy.exe File opened (read-only) \??\q: bgufebzvfd.exe File opened (read-only) \??\q: sdtwgkmy.exe File opened (read-only) \??\t: sdtwgkmy.exe File opened (read-only) \??\u: sdtwgkmy.exe File opened (read-only) \??\w: sdtwgkmy.exe File opened (read-only) \??\t: bgufebzvfd.exe File opened (read-only) \??\x: sdtwgkmy.exe File opened (read-only) \??\l: sdtwgkmy.exe File opened (read-only) \??\n: sdtwgkmy.exe File opened (read-only) \??\l: bgufebzvfd.exe File opened (read-only) \??\y: bgufebzvfd.exe File opened (read-only) \??\k: sdtwgkmy.exe File opened (read-only) \??\m: sdtwgkmy.exe File opened (read-only) \??\y: sdtwgkmy.exe File opened (read-only) \??\n: bgufebzvfd.exe File opened (read-only) \??\v: bgufebzvfd.exe File opened (read-only) \??\o: sdtwgkmy.exe File opened (read-only) \??\p: sdtwgkmy.exe File opened (read-only) \??\b: bgufebzvfd.exe File opened (read-only) \??\a: sdtwgkmy.exe File opened (read-only) \??\s: sdtwgkmy.exe File opened (read-only) \??\j: sdtwgkmy.exe File opened (read-only) \??\u: bgufebzvfd.exe File opened (read-only) \??\b: sdtwgkmy.exe File opened (read-only) \??\t: sdtwgkmy.exe File opened (read-only) \??\v: sdtwgkmy.exe File opened (read-only) \??\x: sdtwgkmy.exe File opened (read-only) \??\a: bgufebzvfd.exe File opened (read-only) \??\j: bgufebzvfd.exe File opened (read-only) \??\z: bgufebzvfd.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" bgufebzvfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" bgufebzvfd.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/884-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000a000000023b8f-5.dat autoit_exe behavioral2/files/0x000b000000023b8b-18.dat autoit_exe behavioral2/files/0x000a000000023b90-26.dat autoit_exe behavioral2/files/0x000a000000023b91-32.dat autoit_exe behavioral2/files/0x000a000000023b9f-75.dat autoit_exe behavioral2/files/0x000b000000023b78-69.dat autoit_exe behavioral2/files/0x000c000000023bc0-411.dat autoit_exe behavioral2/files/0x000c000000023bc0-578.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\bgufebzvfd.exe 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bgufebzvfd.exe 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rixqncdccetdurp.exe 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe File created C:\Windows\SysWOW64\sdtwgkmy.exe 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sdtwgkmy.exe 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe File created C:\Windows\SysWOW64\uzgthqnvxicyc.exe 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\uzgthqnvxicyc.exe 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe File created C:\Windows\SysWOW64\rixqncdccetdurp.exe 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bgufebzvfd.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sdtwgkmy.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sdtwgkmy.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sdtwgkmy.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal sdtwgkmy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal sdtwgkmy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sdtwgkmy.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sdtwgkmy.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sdtwgkmy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal sdtwgkmy.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sdtwgkmy.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sdtwgkmy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sdtwgkmy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal sdtwgkmy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sdtwgkmy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sdtwgkmy.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sdtwgkmy.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sdtwgkmy.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sdtwgkmy.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sdtwgkmy.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sdtwgkmy.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sdtwgkmy.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe sdtwgkmy.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe sdtwgkmy.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe sdtwgkmy.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe sdtwgkmy.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sdtwgkmy.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sdtwgkmy.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe sdtwgkmy.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe sdtwgkmy.exe File opened for modification C:\Windows\mydoc.rtf 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sdtwgkmy.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe sdtwgkmy.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sdtwgkmy.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe sdtwgkmy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F76BC5FF6C22DED27FD1A68B099014" 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412C7F9D2C83596A4276D277552DD87DF164DD" 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC60C15E6DAB0B9B97C97ED9234CF" 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" bgufebzvfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" bgufebzvfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg bgufebzvfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B12E4495389E53C9BAA03298D4CF" 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF4FC8D4827826E9130D65F7DE2BC92E643593767446237D7EE" 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat bgufebzvfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh bgufebzvfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc bgufebzvfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bgufebzvfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEFABDFE65F298837E3B42869F3992B08C02F14213033DE2CB459B09D1" 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" bgufebzvfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" bgufebzvfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" bgufebzvfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf bgufebzvfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs bgufebzvfd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4208 WINWORD.EXE 4208 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 4604 bgufebzvfd.exe 4604 bgufebzvfd.exe 4604 bgufebzvfd.exe 4604 bgufebzvfd.exe 4604 bgufebzvfd.exe 4604 bgufebzvfd.exe 4604 bgufebzvfd.exe 4604 bgufebzvfd.exe 4604 bgufebzvfd.exe 4604 bgufebzvfd.exe 4136 rixqncdccetdurp.exe 4136 rixqncdccetdurp.exe 4136 rixqncdccetdurp.exe 4136 rixqncdccetdurp.exe 4136 rixqncdccetdurp.exe 4136 rixqncdccetdurp.exe 4136 rixqncdccetdurp.exe 4136 rixqncdccetdurp.exe 4136 rixqncdccetdurp.exe 4136 rixqncdccetdurp.exe 2460 uzgthqnvxicyc.exe 2460 uzgthqnvxicyc.exe 2460 uzgthqnvxicyc.exe 2460 uzgthqnvxicyc.exe 2460 uzgthqnvxicyc.exe 2460 uzgthqnvxicyc.exe 3992 sdtwgkmy.exe 3992 sdtwgkmy.exe 2460 uzgthqnvxicyc.exe 3992 sdtwgkmy.exe 2460 uzgthqnvxicyc.exe 3992 sdtwgkmy.exe 3992 sdtwgkmy.exe 3992 sdtwgkmy.exe 3992 sdtwgkmy.exe 3992 sdtwgkmy.exe 2460 uzgthqnvxicyc.exe 2460 uzgthqnvxicyc.exe 2460 uzgthqnvxicyc.exe 2460 uzgthqnvxicyc.exe 3636 sdtwgkmy.exe 3636 sdtwgkmy.exe 3636 sdtwgkmy.exe 3636 sdtwgkmy.exe 3636 sdtwgkmy.exe 3636 sdtwgkmy.exe 3636 sdtwgkmy.exe 3636 sdtwgkmy.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 4136 rixqncdccetdurp.exe 4604 bgufebzvfd.exe 4136 rixqncdccetdurp.exe 4604 bgufebzvfd.exe 4604 bgufebzvfd.exe 4136 rixqncdccetdurp.exe 2460 uzgthqnvxicyc.exe 3992 sdtwgkmy.exe 2460 uzgthqnvxicyc.exe 3992 sdtwgkmy.exe 2460 uzgthqnvxicyc.exe 3992 sdtwgkmy.exe 3636 sdtwgkmy.exe 3636 sdtwgkmy.exe 3636 sdtwgkmy.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 4136 rixqncdccetdurp.exe 4604 bgufebzvfd.exe 4136 rixqncdccetdurp.exe 4604 bgufebzvfd.exe 4604 bgufebzvfd.exe 4136 rixqncdccetdurp.exe 2460 uzgthqnvxicyc.exe 3992 sdtwgkmy.exe 2460 uzgthqnvxicyc.exe 3992 sdtwgkmy.exe 2460 uzgthqnvxicyc.exe 3992 sdtwgkmy.exe 3636 sdtwgkmy.exe 3636 sdtwgkmy.exe 3636 sdtwgkmy.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4208 WINWORD.EXE 4208 WINWORD.EXE 4208 WINWORD.EXE 4208 WINWORD.EXE 4208 WINWORD.EXE 4208 WINWORD.EXE 4208 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 884 wrote to memory of 4604 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 83 PID 884 wrote to memory of 4604 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 83 PID 884 wrote to memory of 4604 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 83 PID 884 wrote to memory of 4136 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 84 PID 884 wrote to memory of 4136 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 84 PID 884 wrote to memory of 4136 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 84 PID 884 wrote to memory of 3992 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 85 PID 884 wrote to memory of 3992 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 85 PID 884 wrote to memory of 3992 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 85 PID 884 wrote to memory of 2460 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 86 PID 884 wrote to memory of 2460 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 86 PID 884 wrote to memory of 2460 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 86 PID 884 wrote to memory of 4208 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 88 PID 884 wrote to memory of 4208 884 0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe 88 PID 4604 wrote to memory of 3636 4604 bgufebzvfd.exe 90 PID 4604 wrote to memory of 3636 4604 bgufebzvfd.exe 90 PID 4604 wrote to memory of 3636 4604 bgufebzvfd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0c5cd0f718c434c0f6a1355ec78cc043_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\bgufebzvfd.exebgufebzvfd.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\sdtwgkmy.exeC:\Windows\system32\sdtwgkmy.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3636
-
-
-
C:\Windows\SysWOW64\rixqncdccetdurp.exerixqncdccetdurp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4136
-
-
C:\Windows\SysWOW64\sdtwgkmy.exesdtwgkmy.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3992
-
-
C:\Windows\SysWOW64\uzgthqnvxicyc.exeuzgthqnvxicyc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2460
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4208
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5aa6ea9ada8be2a074d64d9ebf96c56b1
SHA14549aae132de2402ceeb743a229761d92731fefa
SHA25646428ed1165bd4532b2e6f955fcb028adca6308a10d3e6eacc65a0dea6f46114
SHA5120ae58bbc60f8d2b079ca6bdce94f6f87ae38b22a7c9f8235333db768364f511a7358b0a75026c6d8778135fc7ea99fc984f5fad9f13dc05518b8172657fde1a8
-
Filesize
512KB
MD5e35773776862d865cb7fcb82020543b4
SHA10d41e0a571fd7e6207a92e7938fd4ed2b3f51bdf
SHA256ebdede97d11a3767a781b26a91ff8322e1cd58765e36abe62e1803f954f5a3ca
SHA512c14ebd355c8e5d18aa8ed8870bfd293186e1c17655b930048be29dd27448f1ee723ee65a91bcc376974813bafe960936a02a3d14b57c3628c1f8403ab52516a1
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
239B
MD5a2f476fb970ff4f078a53f0164f2b959
SHA1531f3f100f11ff07c32df8d88038f4d5da7a58c3
SHA256f35b49bd36bf81dbce2df6540b03155ca43ef30609b3ae1d947a62eaf289d2c9
SHA512f3187e9e0465b004e3eb6320dfd1b75b37b79ff0240d989bd15cacc547a97d0a38a3b73deba81a824e71a2ae3306aab32cb692bde594dca3c2328eda16defe79
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD58905eb706b1bd62beda2f4816ddcfcdb
SHA1e62b67c1532f8ce949fa6c8dac4a6754fd9225a1
SHA25619176def1edc0fa0fffe21ef2b9a4a5308f32356a16323567571863daa92e66a
SHA5129122f7af3c85d94972c1f64a292ca03d648002d3ca22ff0ddc79fb060610f2086e1f2f2a7990482021e62b8de0d20b79f6480bd1c016998aa1895dff1422a0f6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD587738912b06fe328ddb984484571099f
SHA1cee37b52b84521fed229c8cb5916d610ff82441e
SHA256ab5be5d48d7f141580e11935d83655c0398d4ac12ff3932fe58129947995373c
SHA512f37f31ce0ea36c0ae4fedb576cc5da99af518abe18447be62092f7f9a68b1a423f0ea9c5635ed58d042ea1dcf236688bbdaa4204a8760cc4d3b3f4f1493b21e2
-
Filesize
512KB
MD57d562e1041c4be3bcee9f0dc7af0d46a
SHA1b8528fe74afefab1434534d67583f3031c153b98
SHA25631b41aaf940e3f417666debe6064c72248662f12a3a7b3103fca3bd0aba7bac6
SHA51291cda473199cee8948ce6ba4c7fc5dc7b0ec4553c8f81043111bc3c88e3a64c30380eb9207b85d44dae7f933e8b31071e3d665d381daea4b6ad23a8a6a62e8e6
-
Filesize
512KB
MD567d942871664941aa234905fd7f5604a
SHA1ec8194492d951cae7ad44d2722e5192910c522b8
SHA256bdbcf3c84eaff58aa402c790dc54652b09935d6c464d357b1d133085bb0507c2
SHA512e2614f93ff8254722286b5b4914cecf091a440c09a8ca037c8336939ac10a1f82981189a9b32d270da0850b44ea8034563d30c58981e6cc25ef95f9e999e0fa2
-
Filesize
512KB
MD5fb1396dbd8697bebadccec4fd37a226c
SHA1f34eb8a7108515f5f8c785136182a00146b4d0d1
SHA256bd95f6a3255052e7dde4b335445e1ca7ad82e268c5060ebb96c49ffa88c378c7
SHA5124a5f98aa74c228dff0d5db086251f061539686fe60bd7dff594129e53d1304aa13fdced3a7ad497b2ee52b8508bc1b49bb0a680ca58e92955fcb3035648c33ad
-
Filesize
512KB
MD5f756a56f24fba9e957b48b2a272277d5
SHA18f26ba339fc98ded66ccae57ad316d3fef77a104
SHA25656bac127a55ab5d6f1c9bd8bbe03121364c874229dbec1871235ce09fc62da5b
SHA512a54309cb3940dadec1cba2dcccaf80ca3f7032d14aa3321bf27adbe68dc12dd7f864644b4873fd527b2cc1d87b9008a869ddd250e56e596ff18113cb13b45ad6
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5511ea00fc7b813c0f5f35bf2f9359f71
SHA1eb1c813ef0420a3bd24afb27c54a22b92394fb6a
SHA256f5e7f44df14f5800e8c9aa7c81ceb5bded63fdf57a55d7bedb62145bd76237f8
SHA512349637998ab344cdd00b6a2bdef98617f91146b77783d119c94ec9f3c849b5da43f06b144606706831fd7bb37f60dae7e3ddbeade1e64f702618e0f20f393191
-
Filesize
512KB
MD5353093207b14bc06565f96a8272e1bdb
SHA1c1b55aa30cbc012f1f46479556d252d7c1075fd4
SHA256d33a2f73590f1626a9a4a6a0ac2e3d297c862a198b2f9a55fb661858c9b5cad3
SHA512c6bba31eb10d0fe150e3576f0943cc08d7a4e4c10b3172fa75f3a03b83075a65bb14122a7d2607123c2cc6c1a7330f44b7266546e53edb99918f5a99e8345c07