Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04/05/2024, 16:25
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe
Resource
win7-20240220-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe
-
Size
512KB
-
MD5
138ab3851b1cac597608dc4d81e7c3b3
-
SHA1
5ddac8d67e5ebece0c9e7d510501e60d17da19ca
-
SHA256
7ff0d48ada976ce610b07313fae99f552d9a5fc983c712075e37852f0a4ecbd8
-
SHA512
78384fc156d4b9cfb49a4c37f8202696458e83fb72677655ce518511b5731b37f8e7aee8f1041f4dc9a97b8489bcbf2e1eb4f973f437eb44a0e43b23f94877ed
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6l:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5i
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" azmgowqtme.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" azmgowqtme.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" azmgowqtme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" azmgowqtme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" azmgowqtme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" azmgowqtme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" azmgowqtme.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" azmgowqtme.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 2216 azmgowqtme.exe 696 ebtpualfgsxvomc.exe 3352 fftdnzyu.exe 3332 bccqdyuiudlbc.exe 4388 fftdnzyu.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" azmgowqtme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" azmgowqtme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" azmgowqtme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" azmgowqtme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" azmgowqtme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" azmgowqtme.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otirhczz = "ebtpualfgsxvomc.exe" ebtpualfgsxvomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bccqdyuiudlbc.exe" ebtpualfgsxvomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ibxndrzs = "azmgowqtme.exe" ebtpualfgsxvomc.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: fftdnzyu.exe File opened (read-only) \??\h: fftdnzyu.exe File opened (read-only) \??\p: azmgowqtme.exe File opened (read-only) \??\y: azmgowqtme.exe File opened (read-only) \??\g: fftdnzyu.exe File opened (read-only) \??\u: fftdnzyu.exe File opened (read-only) \??\o: azmgowqtme.exe File opened (read-only) \??\z: fftdnzyu.exe File opened (read-only) \??\b: fftdnzyu.exe File opened (read-only) \??\j: fftdnzyu.exe File opened (read-only) \??\k: azmgowqtme.exe File opened (read-only) \??\i: fftdnzyu.exe File opened (read-only) \??\i: fftdnzyu.exe File opened (read-only) \??\n: fftdnzyu.exe File opened (read-only) \??\a: fftdnzyu.exe File opened (read-only) \??\n: fftdnzyu.exe File opened (read-only) \??\r: fftdnzyu.exe File opened (read-only) \??\y: fftdnzyu.exe File opened (read-only) \??\k: fftdnzyu.exe File opened (read-only) \??\p: fftdnzyu.exe File opened (read-only) \??\t: fftdnzyu.exe File opened (read-only) \??\w: fftdnzyu.exe File opened (read-only) \??\s: azmgowqtme.exe File opened (read-only) \??\o: fftdnzyu.exe File opened (read-only) \??\r: fftdnzyu.exe File opened (read-only) \??\v: fftdnzyu.exe File opened (read-only) \??\w: fftdnzyu.exe File opened (read-only) \??\z: fftdnzyu.exe File opened (read-only) \??\g: azmgowqtme.exe File opened (read-only) \??\n: azmgowqtme.exe File opened (read-only) \??\y: fftdnzyu.exe File opened (read-only) \??\v: azmgowqtme.exe File opened (read-only) \??\s: fftdnzyu.exe File opened (read-only) \??\k: fftdnzyu.exe File opened (read-only) \??\x: fftdnzyu.exe File opened (read-only) \??\a: azmgowqtme.exe File opened (read-only) \??\j: azmgowqtme.exe File opened (read-only) \??\l: azmgowqtme.exe File opened (read-only) \??\e: azmgowqtme.exe File opened (read-only) \??\x: azmgowqtme.exe File opened (read-only) \??\b: fftdnzyu.exe File opened (read-only) \??\u: fftdnzyu.exe File opened (read-only) \??\s: fftdnzyu.exe File opened (read-only) \??\u: azmgowqtme.exe File opened (read-only) \??\q: fftdnzyu.exe File opened (read-only) \??\l: fftdnzyu.exe File opened (read-only) \??\l: fftdnzyu.exe File opened (read-only) \??\b: azmgowqtme.exe File opened (read-only) \??\q: azmgowqtme.exe File opened (read-only) \??\x: fftdnzyu.exe File opened (read-only) \??\e: fftdnzyu.exe File opened (read-only) \??\m: fftdnzyu.exe File opened (read-only) \??\p: fftdnzyu.exe File opened (read-only) \??\q: fftdnzyu.exe File opened (read-only) \??\h: azmgowqtme.exe File opened (read-only) \??\r: azmgowqtme.exe File opened (read-only) \??\e: fftdnzyu.exe File opened (read-only) \??\t: fftdnzyu.exe File opened (read-only) \??\j: fftdnzyu.exe File opened (read-only) \??\o: fftdnzyu.exe File opened (read-only) \??\m: azmgowqtme.exe File opened (read-only) \??\w: azmgowqtme.exe File opened (read-only) \??\a: fftdnzyu.exe File opened (read-only) \??\h: fftdnzyu.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" azmgowqtme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" azmgowqtme.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1856-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0031000000023bb7-5.dat autoit_exe behavioral2/files/0x000b000000023bb3-19.dat autoit_exe behavioral2/files/0x000a000000023bb8-24.dat autoit_exe behavioral2/files/0x000a000000023bb9-32.dat autoit_exe behavioral2/files/0x000a000000023bc7-75.dat autoit_exe behavioral2/files/0x000b000000023b9f-69.dat autoit_exe behavioral2/files/0x000400000002297e-81.dat autoit_exe behavioral2/files/0x000c000000023aab-98.dat autoit_exe behavioral2/files/0x000c000000023aab-108.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\azmgowqtme.exe 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe File created C:\Windows\SysWOW64\ebtpualfgsxvomc.exe 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe File created C:\Windows\SysWOW64\bccqdyuiudlbc.exe 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bccqdyuiudlbc.exe 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fftdnzyu.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fftdnzyu.exe File created C:\Windows\SysWOW64\azmgowqtme.exe 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ebtpualfgsxvomc.exe 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe File created C:\Windows\SysWOW64\fftdnzyu.exe 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fftdnzyu.exe 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll azmgowqtme.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fftdnzyu.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fftdnzyu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fftdnzyu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal fftdnzyu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fftdnzyu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fftdnzyu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fftdnzyu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal fftdnzyu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal fftdnzyu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fftdnzyu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fftdnzyu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal fftdnzyu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fftdnzyu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fftdnzyu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fftdnzyu.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fftdnzyu.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fftdnzyu.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fftdnzyu.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fftdnzyu.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fftdnzyu.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fftdnzyu.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fftdnzyu.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fftdnzyu.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fftdnzyu.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fftdnzyu.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fftdnzyu.exe File opened for modification C:\Windows\mydoc.rtf 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fftdnzyu.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fftdnzyu.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fftdnzyu.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fftdnzyu.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fftdnzyu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACFFACDFE10F29984753B4086973997B088038C4260023FE1B842ED08A9" 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FFFF485A8269913CD62E7E90BDE4E637594367346345D7EE" 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7816BB7FF6C21ADD20FD1D38B089010" 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC7751590DBC0B8CC7CE7EC9437BC" 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh azmgowqtme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" azmgowqtme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg azmgowqtme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422D0D9C2483586A3377D777272DDA7D8364DC" 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" azmgowqtme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc azmgowqtme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" azmgowqtme.exe Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat azmgowqtme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" azmgowqtme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs azmgowqtme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" azmgowqtme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" azmgowqtme.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB6B12C4495399F53BFB9A7339CD4B8" 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf azmgowqtme.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4456 WINWORD.EXE 4456 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 2216 azmgowqtme.exe 2216 azmgowqtme.exe 2216 azmgowqtme.exe 2216 azmgowqtme.exe 2216 azmgowqtme.exe 2216 azmgowqtme.exe 2216 azmgowqtme.exe 2216 azmgowqtme.exe 2216 azmgowqtme.exe 2216 azmgowqtme.exe 3352 fftdnzyu.exe 3352 fftdnzyu.exe 3352 fftdnzyu.exe 3352 fftdnzyu.exe 3352 fftdnzyu.exe 3352 fftdnzyu.exe 3352 fftdnzyu.exe 3352 fftdnzyu.exe 3332 bccqdyuiudlbc.exe 3332 bccqdyuiudlbc.exe 3332 bccqdyuiudlbc.exe 3332 bccqdyuiudlbc.exe 3332 bccqdyuiudlbc.exe 3332 bccqdyuiudlbc.exe 3332 bccqdyuiudlbc.exe 3332 bccqdyuiudlbc.exe 3332 bccqdyuiudlbc.exe 3332 bccqdyuiudlbc.exe 3332 bccqdyuiudlbc.exe 3332 bccqdyuiudlbc.exe 696 ebtpualfgsxvomc.exe 696 ebtpualfgsxvomc.exe 696 ebtpualfgsxvomc.exe 696 ebtpualfgsxvomc.exe 696 ebtpualfgsxvomc.exe 696 ebtpualfgsxvomc.exe 696 ebtpualfgsxvomc.exe 696 ebtpualfgsxvomc.exe 696 ebtpualfgsxvomc.exe 696 ebtpualfgsxvomc.exe 696 ebtpualfgsxvomc.exe 696 ebtpualfgsxvomc.exe 3332 bccqdyuiudlbc.exe 3332 bccqdyuiudlbc.exe 3332 bccqdyuiudlbc.exe 3332 bccqdyuiudlbc.exe 4388 fftdnzyu.exe 4388 fftdnzyu.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 2216 azmgowqtme.exe 2216 azmgowqtme.exe 2216 azmgowqtme.exe 3332 bccqdyuiudlbc.exe 3352 fftdnzyu.exe 3332 bccqdyuiudlbc.exe 3332 bccqdyuiudlbc.exe 3352 fftdnzyu.exe 3352 fftdnzyu.exe 696 ebtpualfgsxvomc.exe 696 ebtpualfgsxvomc.exe 696 ebtpualfgsxvomc.exe 4388 fftdnzyu.exe 4388 fftdnzyu.exe 4388 fftdnzyu.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 2216 azmgowqtme.exe 2216 azmgowqtme.exe 2216 azmgowqtme.exe 3332 bccqdyuiudlbc.exe 3332 bccqdyuiudlbc.exe 3352 fftdnzyu.exe 3332 bccqdyuiudlbc.exe 3352 fftdnzyu.exe 3352 fftdnzyu.exe 696 ebtpualfgsxvomc.exe 696 ebtpualfgsxvomc.exe 696 ebtpualfgsxvomc.exe 4388 fftdnzyu.exe 4388 fftdnzyu.exe 4388 fftdnzyu.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4456 WINWORD.EXE 4456 WINWORD.EXE 4456 WINWORD.EXE 4456 WINWORD.EXE 4456 WINWORD.EXE 4456 WINWORD.EXE 4456 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1856 wrote to memory of 2216 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 83 PID 1856 wrote to memory of 2216 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 83 PID 1856 wrote to memory of 2216 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 83 PID 1856 wrote to memory of 696 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 84 PID 1856 wrote to memory of 696 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 84 PID 1856 wrote to memory of 696 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 84 PID 1856 wrote to memory of 3352 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 85 PID 1856 wrote to memory of 3352 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 85 PID 1856 wrote to memory of 3352 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 85 PID 1856 wrote to memory of 3332 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 86 PID 1856 wrote to memory of 3332 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 86 PID 1856 wrote to memory of 3332 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 86 PID 1856 wrote to memory of 4456 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 87 PID 1856 wrote to memory of 4456 1856 138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe 87 PID 2216 wrote to memory of 4388 2216 azmgowqtme.exe 89 PID 2216 wrote to memory of 4388 2216 azmgowqtme.exe 89 PID 2216 wrote to memory of 4388 2216 azmgowqtme.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\138ab3851b1cac597608dc4d81e7c3b3_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\azmgowqtme.exeazmgowqtme.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\fftdnzyu.exeC:\Windows\system32\fftdnzyu.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4388
-
-
-
C:\Windows\SysWOW64\ebtpualfgsxvomc.exeebtpualfgsxvomc.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:696
-
-
C:\Windows\SysWOW64\fftdnzyu.exefftdnzyu.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3352
-
-
C:\Windows\SysWOW64\bccqdyuiudlbc.exebccqdyuiudlbc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3332
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4456
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD526f4f2ab6310bf2bda79dc0056c90939
SHA1e34395b92b0e0082e4e15e8abeb3c55d4799a28a
SHA256108fbb1624758c13423c4da4be908fc4aae87e7cf3f7a9acec059fdadc807b46
SHA512c5eb71b7e49de552280cf9bddaaac649e3d9f9a35e25c1bf78622384bcead095be77a586c1484e8c1fee520814aa21da2590382b42dfdd515f5dc5f670666c30
-
Filesize
512KB
MD50d8fd5efca3256ec4262a9fab9ad4e19
SHA131f85b061df9665bfe9a707bbded5494f36e0f5d
SHA256b7a79b5ac2b66c743d27ae667c15bad471403a19568f78b2d18dbedd417505cc
SHA512c57042f123a2bdd6abe7172b54e29c052eef22c1d5e3bfa46e6cb222853102444dd8568048ef97d8bc893214b063e3e82e3f230b7b46decdbb5e236d3876f792
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
239B
MD59ca2c75639f0b977bb947cce9800f6e4
SHA1bc017f65459fcfff2b04a67e5f3a8500f9b92fc5
SHA256906b77931c6f5e95df82ca9bb19dda093dae5baf2d8757707ff7ddf099be6d6c
SHA512c78a01c27dc40004765ba6aafd84de4bcf769bd483e3ac7bab9935230c9f063c8c88d969f5cb361699392e55796ed5c0ed35e2e2a60c854f7e9823c2923ecb0c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5db9e097b14955df7cc3bbaf0596fa57b
SHA10bcc782d943f99754408538e4261f38b70841dfb
SHA25614efe0830f76d61c798b208199ca79727055f0f0ed3ecab4c25f9a89b7093c89
SHA512d6f6edf8a2883eb03dac094d6f494a7405971d71c99d0d664fd6680d906d68d26d0cd35f72db4881b561a36862cd5828e5399b4ec36f1c800d7ebd1dd6184d71
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5fa0784934a37aea98e3e4a51c2419279
SHA1afd76127e0f9ea8aa808c2a683399a28c1f90d86
SHA256e40afd1dbeae7dfe6b92bbadf693aea484294c57faab8d32c0c2bdebe6b1f9ce
SHA512090b0f3e1b3e3151dd857e93fa14a0b0e5adc7805b01b0f686ed72bae563f5a34d66b15f13a5a82b6a5a67286bfacc4ba7941b2a47923d7aa8b74a3d6d14f01f
-
Filesize
512KB
MD52680f8addcfab816244c749c8a6df1da
SHA1378ec380054e5bac4057130aaa2192d471264193
SHA2562d437771b3edc12b037beb883a1cade0b8771cf1db4bd1644d68a93aa71b34bd
SHA5120bdac4b7180104614bf8bcef43097a7b5203f408ceeff8d4595405698c8a0c96f07e162622a26bd324b7f21b913556e25906badb49f7e1ff3a41c6c1f7ca8e85
-
Filesize
512KB
MD5097b982b6d3035f8524889bdd3310fd5
SHA1156c48386849c4e855744a27ea998f7ef3ef25fa
SHA2568f3c9930846477f45aef99848a326b266b1e9bbacd7f05369196fa5ce00270f2
SHA512b1444cb284ad5c8e442d00eb6d47d8420e858393451e349851b90c45491c3cda5912d725762ef2fde7a47a4a37410bc3462dc903ccb27dc04cfeb7088d4ce0bc
-
Filesize
512KB
MD5fca478482a9288e56c753798c312830b
SHA10547ada3a34fa3c1e6db1bddc2b26356fa32cd6c
SHA2561dfb8b47d9b36a9c722a9ad8e787f3be0a3fdd8f357de62d36911e9e797fe742
SHA51228ad6a3957b31ff25d1c3ca0baccbef7f498a3eb083ea5b2a0b0df74d61591527b46e4e281944859af58572ee1b7a053e00d1bb2a1283ed7476b91aaa3a8d789
-
Filesize
512KB
MD529e7f7c246e3ddd16dfcbd4924369a79
SHA1fa6710c637cec59a177ea3846b41cb310445c5ef
SHA256d945dc683f0bea5b745f6368121a17388ed81bfb9d58bcaff203ab33332d149f
SHA51261c25c7d0686dbab5ea9279a830d59f241f9dbc97e2e4b7903de2201f10c92b3e7328b2704de6588fdc93f9e0c01af66ae4c95995599bd5f4d139fb1fd49280e
-
Filesize
512KB
MD5a2d2c62bfc2ba71e02744d94207b61de
SHA1f49fe7bf8c9066bd9699aa62302a833c2486772a
SHA256bae8cd16e3e4d4b0f7f689bee5ed9434c582a1f463d06d3f6c7c4006f93e0f3d
SHA512ff2815eec6d7654c71fb759d5ddd51f7420e8bdf73e51a52c6ef36ab45732f01d2aa661c07b29e1cb4c17b1a1bc2802903db022f36f0da5f4d24ee915fa96111
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD54d49153a2093fc80a6ff1f51590f3829
SHA11d20fa19cc564464e7c5bae2aff293df63cccf42
SHA2569a8dffb20770a68badfd9b5251f28a1ef9e99a2776148d20031b9b479fa523e3
SHA5127dcea47ed062a63703e42fbbff43aae63128c3741c9198a7c4d42a196b783609931197811fc6bf29183bd6ca60124cde36595a2d77d30a89a038fea4a25e11ce
-
Filesize
512KB
MD5d0b7a3f598c6f2cb00fa1b9a623e6d7d
SHA164f5a9b91b53a489556e2bb756befd40c9ffc1d0
SHA256a712f4c7dfad6afac28bffa324c7e18088e1f0520325689aca2a5f613c391769
SHA5122048158b701096272f276e67f1421048a8b98657746a66f25f6489afbd8c201b0fffff2974d9537be04cb502f6bea5a4cca43e33f2d30795b930e71589b08d6f