Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/05/2024, 04:46
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe
-
Size
512KB
-
MD5
32ca91acbcdacd3dcabad9d64fa729a1
-
SHA1
8cec4e68079c49338600301b30ec6baf23955f68
-
SHA256
248056ea386d1f999bd6a2b222f7bc8e15df95f04e02137c587641b13038e9a8
-
SHA512
e4306ca7762ebe9e05b6f1d2a32c6c2ad969a128077ac02ebf44a5cc3b9b7c1be176620e4a8d61994f76264fd9b5698c19f2e7fa822740e03171d065cf757280
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6w:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5z
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" aacrrwtprw.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" aacrrwtprw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" aacrrwtprw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" aacrrwtprw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" aacrrwtprw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" aacrrwtprw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" aacrrwtprw.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aacrrwtprw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 244 aacrrwtprw.exe 348 jgcrhwoazdwzwwj.exe 3764 weocmsgp.exe 1080 oqvlwkojeyjti.exe 1348 weocmsgp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" aacrrwtprw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" aacrrwtprw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" aacrrwtprw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" aacrrwtprw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" aacrrwtprw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" aacrrwtprw.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gyseeqyy = "aacrrwtprw.exe" jgcrhwoazdwzwwj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nmzyndog = "jgcrhwoazdwzwwj.exe" jgcrhwoazdwzwwj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "oqvlwkojeyjti.exe" jgcrhwoazdwzwwj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: weocmsgp.exe File opened (read-only) \??\i: weocmsgp.exe File opened (read-only) \??\u: weocmsgp.exe File opened (read-only) \??\n: aacrrwtprw.exe File opened (read-only) \??\p: aacrrwtprw.exe File opened (read-only) \??\w: aacrrwtprw.exe File opened (read-only) \??\j: weocmsgp.exe File opened (read-only) \??\t: weocmsgp.exe File opened (read-only) \??\r: aacrrwtprw.exe File opened (read-only) \??\s: aacrrwtprw.exe File opened (read-only) \??\r: weocmsgp.exe File opened (read-only) \??\z: weocmsgp.exe File opened (read-only) \??\o: weocmsgp.exe File opened (read-only) \??\i: weocmsgp.exe File opened (read-only) \??\t: aacrrwtprw.exe File opened (read-only) \??\z: aacrrwtprw.exe File opened (read-only) \??\k: weocmsgp.exe File opened (read-only) \??\a: weocmsgp.exe File opened (read-only) \??\m: weocmsgp.exe File opened (read-only) \??\a: aacrrwtprw.exe File opened (read-only) \??\l: aacrrwtprw.exe File opened (read-only) \??\a: weocmsgp.exe File opened (read-only) \??\x: weocmsgp.exe File opened (read-only) \??\z: weocmsgp.exe File opened (read-only) \??\k: weocmsgp.exe File opened (read-only) \??\w: weocmsgp.exe File opened (read-only) \??\m: weocmsgp.exe File opened (read-only) \??\n: weocmsgp.exe File opened (read-only) \??\h: weocmsgp.exe File opened (read-only) \??\t: weocmsgp.exe File opened (read-only) \??\x: aacrrwtprw.exe File opened (read-only) \??\i: aacrrwtprw.exe File opened (read-only) \??\k: aacrrwtprw.exe File opened (read-only) \??\h: aacrrwtprw.exe File opened (read-only) \??\e: weocmsgp.exe File opened (read-only) \??\e: aacrrwtprw.exe File opened (read-only) \??\g: aacrrwtprw.exe File opened (read-only) \??\p: weocmsgp.exe File opened (read-only) \??\s: weocmsgp.exe File opened (read-only) \??\v: weocmsgp.exe File opened (read-only) \??\b: aacrrwtprw.exe File opened (read-only) \??\j: aacrrwtprw.exe File opened (read-only) \??\b: weocmsgp.exe File opened (read-only) \??\p: weocmsgp.exe File opened (read-only) \??\q: aacrrwtprw.exe File opened (read-only) \??\y: aacrrwtprw.exe File opened (read-only) \??\y: weocmsgp.exe File opened (read-only) \??\m: aacrrwtprw.exe File opened (read-only) \??\n: weocmsgp.exe File opened (read-only) \??\b: weocmsgp.exe File opened (read-only) \??\j: weocmsgp.exe File opened (read-only) \??\v: weocmsgp.exe File opened (read-only) \??\u: aacrrwtprw.exe File opened (read-only) \??\v: aacrrwtprw.exe File opened (read-only) \??\u: weocmsgp.exe File opened (read-only) \??\e: weocmsgp.exe File opened (read-only) \??\h: weocmsgp.exe File opened (read-only) \??\l: weocmsgp.exe File opened (read-only) \??\x: weocmsgp.exe File opened (read-only) \??\l: weocmsgp.exe File opened (read-only) \??\q: weocmsgp.exe File opened (read-only) \??\w: weocmsgp.exe File opened (read-only) \??\y: weocmsgp.exe File opened (read-only) \??\q: weocmsgp.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" aacrrwtprw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" aacrrwtprw.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1948-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023492-5.dat autoit_exe behavioral2/files/0x0007000000023305-18.dat autoit_exe behavioral2/files/0x0007000000023496-26.dat autoit_exe behavioral2/files/0x0007000000023497-32.dat autoit_exe behavioral2/files/0x0008000000023488-69.dat autoit_exe behavioral2/files/0x00070000000234a6-75.dat autoit_exe behavioral2/files/0x001b0000000234cd-569.dat autoit_exe behavioral2/files/0x001b0000000234cd-576.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe weocmsgp.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe weocmsgp.exe File created C:\Windows\SysWOW64\jgcrhwoazdwzwwj.exe 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jgcrhwoazdwzwwj.exe 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\weocmsgp.exe 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe File created C:\Windows\SysWOW64\oqvlwkojeyjti.exe 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll aacrrwtprw.exe File created C:\Windows\SysWOW64\aacrrwtprw.exe 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\aacrrwtprw.exe 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe File created C:\Windows\SysWOW64\weocmsgp.exe 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\oqvlwkojeyjti.exe 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe weocmsgp.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe weocmsgp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe weocmsgp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe weocmsgp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal weocmsgp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe weocmsgp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe weocmsgp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe weocmsgp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe weocmsgp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe weocmsgp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal weocmsgp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal weocmsgp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe weocmsgp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal weocmsgp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe weocmsgp.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe weocmsgp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe weocmsgp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe weocmsgp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe weocmsgp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe weocmsgp.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe weocmsgp.exe File opened for modification C:\Windows\mydoc.rtf 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe weocmsgp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe weocmsgp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe weocmsgp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe weocmsgp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe weocmsgp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe weocmsgp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe weocmsgp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe weocmsgp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe weocmsgp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe weocmsgp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC67C1491DBB2B8CA7CE0ED9134CE" 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat aacrrwtprw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc aacrrwtprw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" aacrrwtprw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" aacrrwtprw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" aacrrwtprw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg aacrrwtprw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFFACAF911F2E083783A4686ED3990B3FC02F042160233E2C945E708A0" 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFCF94F26851D9046D72C7DE1BDE7E137583767366243D79D" 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" aacrrwtprw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh aacrrwtprw.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B12F47E1399A53BAB9D13292D4BF" 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F668C3FF6721DDD20CD1D68B099063" 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf aacrrwtprw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" aacrrwtprw.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422C799C5182226D3E77D777222DDE7CF565DE" 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" aacrrwtprw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs aacrrwtprw.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4492 WINWORD.EXE 4492 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 348 jgcrhwoazdwzwwj.exe 348 jgcrhwoazdwzwwj.exe 348 jgcrhwoazdwzwwj.exe 348 jgcrhwoazdwzwwj.exe 348 jgcrhwoazdwzwwj.exe 348 jgcrhwoazdwzwwj.exe 348 jgcrhwoazdwzwwj.exe 348 jgcrhwoazdwzwwj.exe 244 aacrrwtprw.exe 244 aacrrwtprw.exe 244 aacrrwtprw.exe 244 aacrrwtprw.exe 244 aacrrwtprw.exe 244 aacrrwtprw.exe 244 aacrrwtprw.exe 244 aacrrwtprw.exe 244 aacrrwtprw.exe 244 aacrrwtprw.exe 348 jgcrhwoazdwzwwj.exe 348 jgcrhwoazdwzwwj.exe 3764 weocmsgp.exe 3764 weocmsgp.exe 3764 weocmsgp.exe 3764 weocmsgp.exe 3764 weocmsgp.exe 3764 weocmsgp.exe 3764 weocmsgp.exe 3764 weocmsgp.exe 1080 oqvlwkojeyjti.exe 1080 oqvlwkojeyjti.exe 1080 oqvlwkojeyjti.exe 1080 oqvlwkojeyjti.exe 1080 oqvlwkojeyjti.exe 1080 oqvlwkojeyjti.exe 1080 oqvlwkojeyjti.exe 1080 oqvlwkojeyjti.exe 1080 oqvlwkojeyjti.exe 1080 oqvlwkojeyjti.exe 1080 oqvlwkojeyjti.exe 1080 oqvlwkojeyjti.exe 1348 weocmsgp.exe 1348 weocmsgp.exe 1348 weocmsgp.exe 1348 weocmsgp.exe 1348 weocmsgp.exe 1348 weocmsgp.exe 1348 weocmsgp.exe 1348 weocmsgp.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 348 jgcrhwoazdwzwwj.exe 348 jgcrhwoazdwzwwj.exe 348 jgcrhwoazdwzwwj.exe 244 aacrrwtprw.exe 244 aacrrwtprw.exe 244 aacrrwtprw.exe 3764 weocmsgp.exe 1080 oqvlwkojeyjti.exe 3764 weocmsgp.exe 1080 oqvlwkojeyjti.exe 3764 weocmsgp.exe 1080 oqvlwkojeyjti.exe 1348 weocmsgp.exe 1348 weocmsgp.exe 1348 weocmsgp.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 348 jgcrhwoazdwzwwj.exe 348 jgcrhwoazdwzwwj.exe 348 jgcrhwoazdwzwwj.exe 244 aacrrwtprw.exe 244 aacrrwtprw.exe 244 aacrrwtprw.exe 3764 weocmsgp.exe 1080 oqvlwkojeyjti.exe 3764 weocmsgp.exe 1080 oqvlwkojeyjti.exe 3764 weocmsgp.exe 1080 oqvlwkojeyjti.exe 1348 weocmsgp.exe 1348 weocmsgp.exe 1348 weocmsgp.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4492 WINWORD.EXE 4492 WINWORD.EXE 4492 WINWORD.EXE 4492 WINWORD.EXE 4492 WINWORD.EXE 4492 WINWORD.EXE 4492 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1948 wrote to memory of 244 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 83 PID 1948 wrote to memory of 244 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 83 PID 1948 wrote to memory of 244 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 83 PID 1948 wrote to memory of 348 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 84 PID 1948 wrote to memory of 348 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 84 PID 1948 wrote to memory of 348 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 84 PID 1948 wrote to memory of 3764 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 85 PID 1948 wrote to memory of 3764 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 85 PID 1948 wrote to memory of 3764 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 85 PID 1948 wrote to memory of 1080 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 86 PID 1948 wrote to memory of 1080 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 86 PID 1948 wrote to memory of 1080 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 86 PID 244 wrote to memory of 1348 244 aacrrwtprw.exe 88 PID 244 wrote to memory of 1348 244 aacrrwtprw.exe 88 PID 244 wrote to memory of 1348 244 aacrrwtprw.exe 88 PID 1948 wrote to memory of 4492 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 87 PID 1948 wrote to memory of 4492 1948 32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\32ca91acbcdacd3dcabad9d64fa729a1_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\aacrrwtprw.exeaacrrwtprw.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Windows\SysWOW64\weocmsgp.exeC:\Windows\system32\weocmsgp.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1348
-
-
-
C:\Windows\SysWOW64\jgcrhwoazdwzwwj.exejgcrhwoazdwzwwj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:348
-
-
C:\Windows\SysWOW64\weocmsgp.exeweocmsgp.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3764
-
-
C:\Windows\SysWOW64\oqvlwkojeyjti.exeoqvlwkojeyjti.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1080
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4492
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5a20ecba004451c51841f4b71ef8489c8
SHA1262c6bfb6f012775e4d3f1b9c3e5c6eeecea85dc
SHA2564692efc56ef535a914db84ee82753511882328ca744e3b7ef7ec4916d94ed65b
SHA512278cb8b8aa3ffc7cd6296e84859875765ba6a63f8f0a3eccce4ea6707dd96e3daa1933e76d172d42cf9a1cf6562da2207031217d89dee350e276a8f4b0cbdfba
-
Filesize
512KB
MD5f8e2333b7ff8e955a4d902e2591aaa09
SHA100f9719e7365728518f00313caf8b0c327e3da9d
SHA25614e5c492b6cece357838ac6fbc27718688084d27eb50628a64ae00253564d6a0
SHA512e21f102c2a6189a3b4a71dc7124d7e7812416e80a9c28013b62686b745aaff78907af1c3ad6e93b8a67241f30df755788af711dca680b815eddb6556999dfec8
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5cf86b6b130494e0e2c77379a1bd0339a
SHA14520860c53bdf55432b0ebb1bebfc94a5ec63912
SHA256add777fcaaaa2d1277ed31d55c0761d57969943e8951e0a090f4339f0f323b4c
SHA512fb35dd6dacc4be3f15a26681cad659b49b31c9194e9284c09ec5d63689fe341ccdda2f4a1d551dc28d5490fd55c64d96e77e0cf0d6d689ec880e7d5c27575767
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD52ee5b5131178bfb6e7ff176a0537361d
SHA1929eeb7acca8762459ecc38440c2572835d238b7
SHA2564b1f9821e151897d39d8e8ed1c2346da9820cd0231a2cacec8b8e84e0316d8e4
SHA512f1314d72c40566b691d9db01184cca0015435c4ab9e9c57280e8b228b5a4462f490a022390fd1c7540fe66ef81edfddbcbfe57940bc9630889cd9e909b46cfc8
-
Filesize
512KB
MD5aa1313d1c2c5d1d376b5e2432b1bf8a4
SHA11915296a9fa69222b33d5f1c27357d55be64bdd5
SHA2563026cbc70b67b21f981723a6179b49e77d84e1d81db428ff6809d3f8651975f8
SHA512f8ee5bc0b453046d5e165ff95904dec5bba3d2c9d53a306c98d9bcee1f526f6de5bf7483c7413e3147464272e50043fc58098ab798d1f605ca30e791913cd779
-
Filesize
512KB
MD596af6be790d40537b219d48400ad0f46
SHA11cccd1d4c95b5cdb1edcf4d7c3dbe4372659d47b
SHA25626840e41435378f74b4ecdf9c325aee7e13311e74d928c0b2b2ef0dc45b12039
SHA5128832c085901cef5b1c3cbb011686cf838423cf59e0737c52fdda077dfec76734daf26234ca8209bac2aa2d862fb411c261162917688a3feae289032ae5ba1a1b
-
Filesize
512KB
MD54a1f4c5c27c7bee5984d510b031893f4
SHA107c0943c57b82154b44954aa8d135d4b68b77fd9
SHA25686df2aa4d8d0ca54fe33af94fa306e47cebdf3db4568062f82f61ade81cb9484
SHA512e668ca0e4e0b7a2db3777e94bb71a5ce9b922e96ffb9707710c51d86e21019b8ba635f1f19d52df087fd079be6616b2047108513f0637640183d2ca07a9a7d79
-
Filesize
512KB
MD5e8762be4d1b38a5ae64c2369976a4357
SHA14dc9ac2ccd96d2b4303636364d0ea54d65762d94
SHA25607e200b263d3f6f2249277fe6912e45ac4f3a903a8159210f1b032be5093631c
SHA512213f612aa87a211970486a5ca143ea347f197d71eab556d091b8fb7b73134f44ea54279c1f0723d6af3d1f40bbe6c78d77b59660b348e9f762a193b9acfebc87
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5140db4db8cb0e5be0fbc43ffabc43c70
SHA10046624039de6f57a07d38940601a4177933f714
SHA256b770e3121795c1941fe279e090b27bc81fb28806691c6217008f93c4eedd5aaa
SHA51217a4964122eea05d9a2be9b94a914ad850db9732fb42c0ce252b01eddccf2ea4c6446e57be5373b2be70914efad3f20dcdc094a6c9b788acd26b6dd080fa9b66
-
Filesize
512KB
MD510a75b5c60c296fa9e8ebf961aea3eed
SHA1f50a48d826380a435ac59384fcc1d8062267ad12
SHA25698ea21f0ae47547ec71c66a136ef30df238b8790ea07392f13f95b5f3dbddd0e
SHA51218e8a6bfc9b8b98caeeaf8368d65c2fa827de0ad159694e6798eabf0ca745843ae04ac4a48a91282d8efd44dc35ed3d85e06a1a72164980e71f78032f198958b