Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/05/2024, 08:46
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe
-
Size
512KB
-
MD5
39409cd656c0bc7567e2c8352dcc2236
-
SHA1
0b4ded3b48affa28dfc075d3a56c6a8ed1ac9479
-
SHA256
9f93f8f5e71266c7001be5bfa04830fc68f8a697b014d04058d1cf5417c5fbd7
-
SHA512
d34208d2994a2a7314b2b0c16af693504658f3588bddbba4a31f5aaa75db37814b48584112d2a70e07a871852f7dbb1b90409eea6e5038781fdbc1aecbe3cd2c
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj60:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5V
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" knnojupyyb.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" knnojupyyb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" knnojupyyb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" knnojupyyb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" knnojupyyb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" knnojupyyb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" knnojupyyb.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" knnojupyyb.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4544 knnojupyyb.exe 1596 jpfiqzvvzvnconu.exe 2388 tstchmrd.exe 2108 sckcmtpbzkpas.exe 2476 tstchmrd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" knnojupyyb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" knnojupyyb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" knnojupyyb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" knnojupyyb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" knnojupyyb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" knnojupyyb.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zsskhcet = "knnojupyyb.exe" jpfiqzvvzvnconu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cebsoydk = "jpfiqzvvzvnconu.exe" jpfiqzvvzvnconu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "sckcmtpbzkpas.exe" jpfiqzvvzvnconu.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\z: knnojupyyb.exe File opened (read-only) \??\a: tstchmrd.exe File opened (read-only) \??\h: tstchmrd.exe File opened (read-only) \??\l: knnojupyyb.exe File opened (read-only) \??\q: tstchmrd.exe File opened (read-only) \??\x: knnojupyyb.exe File opened (read-only) \??\y: tstchmrd.exe File opened (read-only) \??\o: tstchmrd.exe File opened (read-only) \??\l: tstchmrd.exe File opened (read-only) \??\u: tstchmrd.exe File opened (read-only) \??\g: knnojupyyb.exe File opened (read-only) \??\k: knnojupyyb.exe File opened (read-only) \??\r: knnojupyyb.exe File opened (read-only) \??\h: tstchmrd.exe File opened (read-only) \??\j: tstchmrd.exe File opened (read-only) \??\k: tstchmrd.exe File opened (read-only) \??\y: knnojupyyb.exe File opened (read-only) \??\s: tstchmrd.exe File opened (read-only) \??\x: tstchmrd.exe File opened (read-only) \??\z: tstchmrd.exe File opened (read-only) \??\m: tstchmrd.exe File opened (read-only) \??\s: tstchmrd.exe File opened (read-only) \??\w: tstchmrd.exe File opened (read-only) \??\z: tstchmrd.exe File opened (read-only) \??\e: tstchmrd.exe File opened (read-only) \??\u: tstchmrd.exe File opened (read-only) \??\w: knnojupyyb.exe File opened (read-only) \??\a: tstchmrd.exe File opened (read-only) \??\b: tstchmrd.exe File opened (read-only) \??\t: tstchmrd.exe File opened (read-only) \??\t: knnojupyyb.exe File opened (read-only) \??\r: tstchmrd.exe File opened (read-only) \??\i: tstchmrd.exe File opened (read-only) \??\m: knnojupyyb.exe File opened (read-only) \??\v: knnojupyyb.exe File opened (read-only) \??\g: tstchmrd.exe File opened (read-only) \??\a: knnojupyyb.exe File opened (read-only) \??\s: knnojupyyb.exe File opened (read-only) \??\n: tstchmrd.exe File opened (read-only) \??\q: tstchmrd.exe File opened (read-only) \??\k: tstchmrd.exe File opened (read-only) \??\n: tstchmrd.exe File opened (read-only) \??\r: tstchmrd.exe File opened (read-only) \??\n: knnojupyyb.exe File opened (read-only) \??\u: knnojupyyb.exe File opened (read-only) \??\x: tstchmrd.exe File opened (read-only) \??\b: tstchmrd.exe File opened (read-only) \??\p: tstchmrd.exe File opened (read-only) \??\v: tstchmrd.exe File opened (read-only) \??\b: knnojupyyb.exe File opened (read-only) \??\i: knnojupyyb.exe File opened (read-only) \??\o: knnojupyyb.exe File opened (read-only) \??\j: knnojupyyb.exe File opened (read-only) \??\i: tstchmrd.exe File opened (read-only) \??\w: tstchmrd.exe File opened (read-only) \??\y: tstchmrd.exe File opened (read-only) \??\v: tstchmrd.exe File opened (read-only) \??\j: tstchmrd.exe File opened (read-only) \??\e: knnojupyyb.exe File opened (read-only) \??\h: knnojupyyb.exe File opened (read-only) \??\p: knnojupyyb.exe File opened (read-only) \??\q: knnojupyyb.exe File opened (read-only) \??\g: tstchmrd.exe File opened (read-only) \??\t: tstchmrd.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" knnojupyyb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" knnojupyyb.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4220-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0009000000023414-5.dat autoit_exe behavioral2/files/0x0006000000022f42-18.dat autoit_exe behavioral2/files/0x0007000000023424-26.dat autoit_exe behavioral2/files/0x0007000000023425-31.dat autoit_exe behavioral2/files/0x0008000000023408-65.dat autoit_exe behavioral2/files/0x00020000000229c8-63.dat autoit_exe behavioral2/files/0x0009000000023393-73.dat autoit_exe behavioral2/files/0x00070000000230c0-111.dat autoit_exe behavioral2/files/0x00070000000230c0-387.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\jpfiqzvvzvnconu.exe 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tstchmrd.exe 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sckcmtpbzkpas.exe 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tstchmrd.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tstchmrd.exe File created C:\Windows\SysWOW64\knnojupyyb.exe 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\knnojupyyb.exe 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jpfiqzvvzvnconu.exe 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe File created C:\Windows\SysWOW64\tstchmrd.exe 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe File created C:\Windows\SysWOW64\sckcmtpbzkpas.exe 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll knnojupyyb.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tstchmrd.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tstchmrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tstchmrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tstchmrd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tstchmrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tstchmrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal tstchmrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tstchmrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal tstchmrd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tstchmrd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tstchmrd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tstchmrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal tstchmrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal tstchmrd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tstchmrd.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tstchmrd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tstchmrd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tstchmrd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tstchmrd.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tstchmrd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tstchmrd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tstchmrd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tstchmrd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tstchmrd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tstchmrd.exe File opened for modification C:\Windows\mydoc.rtf 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tstchmrd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tstchmrd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tstchmrd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tstchmrd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tstchmrd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tstchmrd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" knnojupyyb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg knnojupyyb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFF9CBF96BF190840E3A4B819D3E97B3FC038B4366033AE1B842EE09D6" 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B0294495399A53BDBAA633E8D7BB" 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFFFF482B85129135D6587E95BDEFE64159356647633FD6EE" 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc knnojupyyb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" knnojupyyb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08068B6FF6721AAD278D0D48A7C9011" 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC67415E0DBC3B8CB7F92EDE534BB" 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" knnojupyyb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" knnojupyyb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" knnojupyyb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332C769C2783506A3677D577262DD77C8764DB" 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat knnojupyyb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" knnojupyyb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs knnojupyyb.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh knnojupyyb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf knnojupyyb.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3908 WINWORD.EXE 3908 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4544 knnojupyyb.exe 4544 knnojupyyb.exe 4544 knnojupyyb.exe 4544 knnojupyyb.exe 4544 knnojupyyb.exe 4544 knnojupyyb.exe 1596 jpfiqzvvzvnconu.exe 4544 knnojupyyb.exe 4544 knnojupyyb.exe 1596 jpfiqzvvzvnconu.exe 4544 knnojupyyb.exe 4544 knnojupyyb.exe 1596 jpfiqzvvzvnconu.exe 1596 jpfiqzvvzvnconu.exe 1596 jpfiqzvvzvnconu.exe 1596 jpfiqzvvzvnconu.exe 1596 jpfiqzvvzvnconu.exe 1596 jpfiqzvvzvnconu.exe 1596 jpfiqzvvzvnconu.exe 1596 jpfiqzvvzvnconu.exe 2108 sckcmtpbzkpas.exe 2108 sckcmtpbzkpas.exe 2108 sckcmtpbzkpas.exe 2108 sckcmtpbzkpas.exe 2108 sckcmtpbzkpas.exe 2108 sckcmtpbzkpas.exe 2108 sckcmtpbzkpas.exe 2108 sckcmtpbzkpas.exe 2108 sckcmtpbzkpas.exe 2108 sckcmtpbzkpas.exe 2108 sckcmtpbzkpas.exe 2108 sckcmtpbzkpas.exe 2388 tstchmrd.exe 2388 tstchmrd.exe 2388 tstchmrd.exe 2388 tstchmrd.exe 2388 tstchmrd.exe 2388 tstchmrd.exe 2388 tstchmrd.exe 2388 tstchmrd.exe 2476 tstchmrd.exe 2476 tstchmrd.exe 2476 tstchmrd.exe 2476 tstchmrd.exe 2476 tstchmrd.exe 2476 tstchmrd.exe 2476 tstchmrd.exe 2476 tstchmrd.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4544 knnojupyyb.exe 4544 knnojupyyb.exe 4544 knnojupyyb.exe 1596 jpfiqzvvzvnconu.exe 1596 jpfiqzvvzvnconu.exe 1596 jpfiqzvvzvnconu.exe 2108 sckcmtpbzkpas.exe 2388 tstchmrd.exe 2108 sckcmtpbzkpas.exe 2388 tstchmrd.exe 2108 sckcmtpbzkpas.exe 2388 tstchmrd.exe 2476 tstchmrd.exe 2476 tstchmrd.exe 2476 tstchmrd.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 4544 knnojupyyb.exe 4544 knnojupyyb.exe 4544 knnojupyyb.exe 1596 jpfiqzvvzvnconu.exe 1596 jpfiqzvvzvnconu.exe 1596 jpfiqzvvzvnconu.exe 2108 sckcmtpbzkpas.exe 2388 tstchmrd.exe 2108 sckcmtpbzkpas.exe 2388 tstchmrd.exe 2108 sckcmtpbzkpas.exe 2388 tstchmrd.exe 2476 tstchmrd.exe 2476 tstchmrd.exe 2476 tstchmrd.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4220 wrote to memory of 4544 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 83 PID 4220 wrote to memory of 4544 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 83 PID 4220 wrote to memory of 4544 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 83 PID 4220 wrote to memory of 1596 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 84 PID 4220 wrote to memory of 1596 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 84 PID 4220 wrote to memory of 1596 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 84 PID 4220 wrote to memory of 2388 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 85 PID 4220 wrote to memory of 2388 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 85 PID 4220 wrote to memory of 2388 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 85 PID 4220 wrote to memory of 2108 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 86 PID 4220 wrote to memory of 2108 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 86 PID 4220 wrote to memory of 2108 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 86 PID 4220 wrote to memory of 3908 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 87 PID 4220 wrote to memory of 3908 4220 39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe 87 PID 4544 wrote to memory of 2476 4544 knnojupyyb.exe 89 PID 4544 wrote to memory of 2476 4544 knnojupyyb.exe 89 PID 4544 wrote to memory of 2476 4544 knnojupyyb.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\knnojupyyb.exeknnojupyyb.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\tstchmrd.exeC:\Windows\system32\tstchmrd.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2476
-
-
-
C:\Windows\SysWOW64\jpfiqzvvzvnconu.exejpfiqzvvzvnconu.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1596
-
-
C:\Windows\SysWOW64\tstchmrd.exetstchmrd.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2388
-
-
C:\Windows\SysWOW64\sckcmtpbzkpas.exesckcmtpbzkpas.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2108
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3908
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5321b3ab5c761e4eb107275d523f652e7
SHA131129311f7414b74e7402c83c3d9c7f35849110e
SHA2563f54acb39ab897d800228c71f00969ea279146977ebdbb598c2ee835e038700d
SHA512d9d7616cfecbc1f2d0a682b7c14bc571419e9627aaf2e634134e38a3f39d5640025f19718fc121fef8225a45ee72d0377b149b7d79a503ca7712ef6c0f181057
-
Filesize
512KB
MD58c35d5b528908d6412f1a415d29c6894
SHA1026bee0076a3c6d6ff34f82c6a711c857487957d
SHA256edfb85ab751ee2acb68b2157242c1a162513e7cca7eeb2400f17e2d312cd1237
SHA51258e438e12a3d4053ef58eb51fc07427853f1144375866ad3754280c2df0019ee34948f9141978f1b4e6555451fb844e78114f0a897440e098c3ea288924c0c60
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5d986bb561d849f4cfd590581afe5e80d
SHA1a4ab3434f351001e2337abeb2f60f44078660abb
SHA256af28c5eb116f8cac5db26d045ebf978b7646eb914a0073439dde2ec5a61a4c25
SHA51208c7623773f11a8dc7b48fb48145050c894296bbebe869912a840ebfa89e71567acf7da12d02bc8055dfb8286f93036d35dbb3633684302f71c20c84c7d4c66c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a01657c306d45c73057bc45019e4e50f
SHA11cc365ba4e2cb765dd57ef31042c70f668310fdf
SHA2560c86d12a0786727b76dc464b0ec25943827a1a8d849f1317220745d6cab14d7a
SHA5125e8a08661bdedd5d9e9bfd6e1dc9e7abc61acce7cffaf8bf3e52069f36fc90455b6ba74217b233b2a9aa2105a1bb60b63a528c4da3b77aa0994e41b1fe082d95
-
Filesize
512KB
MD53453a6dcc488959be120fd1db79108ed
SHA1a783049ac4414cb2a6272d37c239c9d3ce2a0986
SHA2564bc1f0fe67bed7ac4f3fb593a26e6cef88b82ee2316ad9cac33d701153d82f2b
SHA512b0d45790c80db5612bd5d9dcb0bf0cb49d120f26933786d838ca0979f60280a053fc94103f19eda039e0b1f488682ad94602cc6d57954fae8a32c28b55aa6b5c
-
Filesize
512KB
MD52ff38637a5baedf4bad386d346de1409
SHA1a0311a4ef9ddfb0ab445b9d69d90e6201cd3b774
SHA25652c94f2951af7e3be62be3371f70f1311d6abd5afd486ad9719300eed48e21dc
SHA5120ff77f9598922e721c5b5587388ac9582de701f794ba9fe285ef627275fc216d25357bafebf1b0760ac50042b8aa3ddacc04fc4c741dd2f1526cc0ff8e66309e
-
Filesize
512KB
MD55a9654d8dd6b408c99cf8005d2807a2f
SHA1e48db38e29ab230a903bed6aa2d63495df6b3dd7
SHA256b67eb953b4d7fbabf9c5e8eb0ebefe4aa4f82932faceeea831fc30dc92be0f97
SHA5126cb8792353720f416b210dc7e37def78a295216418ee019abefb24116220930c22f963119d694cc88139b92d1bc108619cd1e3626526279283e51b0ea26d6ff3
-
Filesize
512KB
MD58c638643752be996f76d8c6efe4fdfb9
SHA131520a88bf484c9da4203f04859585d855c580bc
SHA256e7e2d4cb634711d48bcaabfbfc546e4a665b38bcb437eb8b07529182181a627b
SHA512c35b14cec80dac7c1c2ce5b2ce25f6c46949d79e97505ab6a272fcce41e0f785f3f0817ccf9139b9d762df5ce8c55dafcc432780e0955f4fa9f0b7ce3410b54f
-
Filesize
512KB
MD5fa6de4611c8e242343330a1ecc9a6925
SHA131c349bf1e1ca7464fcd6ad14e69c9509b71edcf
SHA2566c3fc6906741e9b98bb7153cddb8e4c5d1bf8e1ad6b6ca14909f352f2583cbf2
SHA512a2d86db8b034ed93b3396d27bcbf7ac143601780aaf45d355bbd12eb48dc03f55ad100bba0398e2d3c9d179cd0e792535b1e05713825986d565dbb8b77fa9c35
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5fd2abf9898c753a7cf79b3b381aaed4f
SHA1ccf3d291c5c936d2b89d849a180114c886092170
SHA256d1ad1bfba3686b4b2da6f3be76e02eacb8f2fe6d01bf1868e4f2f46da783c5cc
SHA51205fad4e30a2ef1411287e9be0e84f73d1472f5aa3e0c210dc6ecd880553acc088c8057d6caf1e94dd08e4ba246df04d6f3920bee40592026fc496d9d2e25424e
-
Filesize
512KB
MD503a7ccdd1c0ea4a4303e7b23d601e703
SHA18349ccceb483a4d945089325a2d4570891e3f63c
SHA2568cb311553739af97a7f40fc764100d0a8b2b0c204f7ae5416970f3a92c0b0398
SHA512bf7fd44cdc0e727963ab2f7bf360c09ed215eac61c964af8779ee13c90b253ceed844e0191463be01a0792adc0280820b8c3078c44db46d713233b3967166dd9