Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
14/05/2024, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe
-
Size
512KB
-
MD5
3d70dc2238d6eb9717856bea4afe25b8
-
SHA1
3cfe04cb1ff8eab3ace24af3a381391bccb200eb
-
SHA256
4842776370b2873c8d8b31302a23afe1deba3e9b44b4e7c1afcdf8da2da9ee1a
-
SHA512
a4ffb764bd92ea6a0e5bd4397877c22c50f8c2d15357ac9ed40951533703b1ea90a5df42faa8b3046408e6986aae008f2a74157580f14c69a4ec1eeffba1072f
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6v:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5g
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" puaiocctgs.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" puaiocctgs.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" puaiocctgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" puaiocctgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" puaiocctgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" puaiocctgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" puaiocctgs.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" puaiocctgs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1508 puaiocctgs.exe 2424 avzrxujqacyrozf.exe 3432 fbhenufe.exe 1932 filpfikumyexr.exe 3564 fbhenufe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" puaiocctgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" puaiocctgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" puaiocctgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" puaiocctgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" puaiocctgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" puaiocctgs.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dhbdwhdl = "puaiocctgs.exe" avzrxujqacyrozf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lrjzbmrd = "avzrxujqacyrozf.exe" avzrxujqacyrozf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "filpfikumyexr.exe" avzrxujqacyrozf.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: fbhenufe.exe File opened (read-only) \??\s: fbhenufe.exe File opened (read-only) \??\p: fbhenufe.exe File opened (read-only) \??\i: puaiocctgs.exe File opened (read-only) \??\u: puaiocctgs.exe File opened (read-only) \??\a: fbhenufe.exe File opened (read-only) \??\h: fbhenufe.exe File opened (read-only) \??\j: fbhenufe.exe File opened (read-only) \??\v: fbhenufe.exe File opened (read-only) \??\i: fbhenufe.exe File opened (read-only) \??\y: fbhenufe.exe File opened (read-only) \??\i: fbhenufe.exe File opened (read-only) \??\y: fbhenufe.exe File opened (read-only) \??\h: fbhenufe.exe File opened (read-only) \??\l: fbhenufe.exe File opened (read-only) \??\g: puaiocctgs.exe File opened (read-only) \??\x: fbhenufe.exe File opened (read-only) \??\s: fbhenufe.exe File opened (read-only) \??\w: fbhenufe.exe File opened (read-only) \??\z: fbhenufe.exe File opened (read-only) \??\s: puaiocctgs.exe File opened (read-only) \??\t: puaiocctgs.exe File opened (read-only) \??\x: puaiocctgs.exe File opened (read-only) \??\g: fbhenufe.exe File opened (read-only) \??\m: fbhenufe.exe File opened (read-only) \??\e: fbhenufe.exe File opened (read-only) \??\r: fbhenufe.exe File opened (read-only) \??\e: puaiocctgs.exe File opened (read-only) \??\q: puaiocctgs.exe File opened (read-only) \??\y: puaiocctgs.exe File opened (read-only) \??\q: fbhenufe.exe File opened (read-only) \??\n: fbhenufe.exe File opened (read-only) \??\a: puaiocctgs.exe File opened (read-only) \??\w: puaiocctgs.exe File opened (read-only) \??\z: puaiocctgs.exe File opened (read-only) \??\a: fbhenufe.exe File opened (read-only) \??\j: fbhenufe.exe File opened (read-only) \??\o: fbhenufe.exe File opened (read-only) \??\l: puaiocctgs.exe File opened (read-only) \??\p: puaiocctgs.exe File opened (read-only) \??\w: fbhenufe.exe File opened (read-only) \??\x: fbhenufe.exe File opened (read-only) \??\j: puaiocctgs.exe File opened (read-only) \??\k: puaiocctgs.exe File opened (read-only) \??\r: puaiocctgs.exe File opened (read-only) \??\b: fbhenufe.exe File opened (read-only) \??\r: fbhenufe.exe File opened (read-only) \??\t: fbhenufe.exe File opened (read-only) \??\p: fbhenufe.exe File opened (read-only) \??\m: fbhenufe.exe File opened (read-only) \??\h: puaiocctgs.exe File opened (read-only) \??\g: fbhenufe.exe File opened (read-only) \??\k: fbhenufe.exe File opened (read-only) \??\l: fbhenufe.exe File opened (read-only) \??\v: fbhenufe.exe File opened (read-only) \??\m: puaiocctgs.exe File opened (read-only) \??\v: puaiocctgs.exe File opened (read-only) \??\q: fbhenufe.exe File opened (read-only) \??\b: puaiocctgs.exe File opened (read-only) \??\z: fbhenufe.exe File opened (read-only) \??\o: puaiocctgs.exe File opened (read-only) \??\o: fbhenufe.exe File opened (read-only) \??\u: fbhenufe.exe File opened (read-only) \??\b: fbhenufe.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" puaiocctgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" puaiocctgs.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3056-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023412-5.dat autoit_exe behavioral2/files/0x0007000000023414-32.dat autoit_exe behavioral2/files/0x0007000000023413-27.dat autoit_exe behavioral2/files/0x0005000000023266-19.dat autoit_exe behavioral2/files/0x0007000000023422-69.dat autoit_exe behavioral2/files/0x000800000002340a-66.dat autoit_exe behavioral2/files/0x000700000002292d-72.dat autoit_exe behavioral2/files/0x000c00000001e40b-90.dat autoit_exe behavioral2/files/0x000c00000001e40b-95.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\avzrxujqacyrozf.exe 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe File created C:\Windows\SysWOW64\fbhenufe.exe 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe File created C:\Windows\SysWOW64\puaiocctgs.exe 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe File created C:\Windows\SysWOW64\filpfikumyexr.exe 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\filpfikumyexr.exe 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\avzrxujqacyrozf.exe 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fbhenufe.exe 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fbhenufe.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fbhenufe.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fbhenufe.exe File opened for modification C:\Windows\SysWOW64\puaiocctgs.exe 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fbhenufe.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll puaiocctgs.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fbhenufe.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fbhenufe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fbhenufe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal fbhenufe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fbhenufe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal fbhenufe.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fbhenufe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal fbhenufe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fbhenufe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fbhenufe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal fbhenufe.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fbhenufe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fbhenufe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fbhenufe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fbhenufe.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fbhenufe.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fbhenufe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fbhenufe.exe File opened for modification C:\Windows\mydoc.rtf 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fbhenufe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fbhenufe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fbhenufe.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fbhenufe.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fbhenufe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fbhenufe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fbhenufe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fbhenufe.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fbhenufe.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fbhenufe.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fbhenufe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fbhenufe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fbhenufe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFF8E482C826A9145D72E7DE5BC93E144583767426236D6ED" 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf puaiocctgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" puaiocctgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs puaiocctgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc puaiocctgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" puaiocctgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432D7D9C5783566A3376D370252DDA7DF265DA" 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F56BC4FE6621DCD10ED0A68A7D9166" 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh puaiocctgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" puaiocctgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4F9C9FE67F2E084783A4486EA3E90B08E028C4261023BE1B845EA08D3" 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat puaiocctgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg puaiocctgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" puaiocctgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" puaiocctgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" puaiocctgs.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB6B12847E6399853BFB9D73293D7B8" 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184CC7081591DBB1B8BD7CE9ECE734CD" 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3912 WINWORD.EXE 3912 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 3432 fbhenufe.exe 3432 fbhenufe.exe 3432 fbhenufe.exe 3432 fbhenufe.exe 3432 fbhenufe.exe 3432 fbhenufe.exe 3432 fbhenufe.exe 3432 fbhenufe.exe 2424 avzrxujqacyrozf.exe 2424 avzrxujqacyrozf.exe 2424 avzrxujqacyrozf.exe 2424 avzrxujqacyrozf.exe 2424 avzrxujqacyrozf.exe 2424 avzrxujqacyrozf.exe 2424 avzrxujqacyrozf.exe 2424 avzrxujqacyrozf.exe 2424 avzrxujqacyrozf.exe 2424 avzrxujqacyrozf.exe 1508 puaiocctgs.exe 1508 puaiocctgs.exe 1508 puaiocctgs.exe 1508 puaiocctgs.exe 1508 puaiocctgs.exe 1508 puaiocctgs.exe 1508 puaiocctgs.exe 1508 puaiocctgs.exe 1508 puaiocctgs.exe 1508 puaiocctgs.exe 1932 filpfikumyexr.exe 1932 filpfikumyexr.exe 1932 filpfikumyexr.exe 1932 filpfikumyexr.exe 1932 filpfikumyexr.exe 1932 filpfikumyexr.exe 1932 filpfikumyexr.exe 1932 filpfikumyexr.exe 1932 filpfikumyexr.exe 1932 filpfikumyexr.exe 1932 filpfikumyexr.exe 1932 filpfikumyexr.exe 3564 fbhenufe.exe 3564 fbhenufe.exe 3564 fbhenufe.exe 3564 fbhenufe.exe 3564 fbhenufe.exe 3564 fbhenufe.exe 3564 fbhenufe.exe 3564 fbhenufe.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 2424 avzrxujqacyrozf.exe 2424 avzrxujqacyrozf.exe 2424 avzrxujqacyrozf.exe 3432 fbhenufe.exe 3432 fbhenufe.exe 3432 fbhenufe.exe 1508 puaiocctgs.exe 1508 puaiocctgs.exe 1508 puaiocctgs.exe 1932 filpfikumyexr.exe 1932 filpfikumyexr.exe 1932 filpfikumyexr.exe 3564 fbhenufe.exe 3564 fbhenufe.exe 3564 fbhenufe.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 2424 avzrxujqacyrozf.exe 2424 avzrxujqacyrozf.exe 2424 avzrxujqacyrozf.exe 3432 fbhenufe.exe 3432 fbhenufe.exe 3432 fbhenufe.exe 1508 puaiocctgs.exe 1508 puaiocctgs.exe 1508 puaiocctgs.exe 1932 filpfikumyexr.exe 1932 filpfikumyexr.exe 1932 filpfikumyexr.exe 3564 fbhenufe.exe 3564 fbhenufe.exe 3564 fbhenufe.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3912 WINWORD.EXE 3912 WINWORD.EXE 3912 WINWORD.EXE 3912 WINWORD.EXE 3912 WINWORD.EXE 3912 WINWORD.EXE 3912 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3056 wrote to memory of 1508 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 82 PID 3056 wrote to memory of 1508 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 82 PID 3056 wrote to memory of 1508 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 82 PID 3056 wrote to memory of 2424 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 83 PID 3056 wrote to memory of 2424 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 83 PID 3056 wrote to memory of 2424 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 83 PID 3056 wrote to memory of 3432 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 84 PID 3056 wrote to memory of 3432 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 84 PID 3056 wrote to memory of 3432 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 84 PID 3056 wrote to memory of 1932 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 85 PID 3056 wrote to memory of 1932 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 85 PID 3056 wrote to memory of 1932 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 85 PID 3056 wrote to memory of 3912 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 86 PID 3056 wrote to memory of 3912 3056 3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe 86 PID 1508 wrote to memory of 3564 1508 puaiocctgs.exe 88 PID 1508 wrote to memory of 3564 1508 puaiocctgs.exe 88 PID 1508 wrote to memory of 3564 1508 puaiocctgs.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3d70dc2238d6eb9717856bea4afe25b8_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\puaiocctgs.exepuaiocctgs.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\fbhenufe.exeC:\Windows\system32\fbhenufe.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3564
-
-
-
C:\Windows\SysWOW64\avzrxujqacyrozf.exeavzrxujqacyrozf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2424
-
-
C:\Windows\SysWOW64\fbhenufe.exefbhenufe.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3432
-
-
C:\Windows\SysWOW64\filpfikumyexr.exefilpfikumyexr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1932
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3912
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5702c6f1c1d4cda411cac1e71771b4905
SHA1104d69a41ffa37f462376cfa36f25f7014075c2f
SHA25617011b3235876972be23a932e6c7ca49e8a6634ec5148f1f6923e577c73f7369
SHA512219e965f3efb1262d6032c39fae96c51b32f1bb135b3be62b01dd1bdfdaa29b32eedaeeef335b476768fdf7347b9ab869b2a9da9e07237546bcc25e166176e7c
-
Filesize
512KB
MD5f87aaf87e8339907fb59ba02304f12b5
SHA19aea41b73ffbf3865e7d521af5b4932e6ff37488
SHA256cb98366e40670b87bfc31496cee22290bf334e506b44008e341e9afbdb57bc7a
SHA512f18c62305b11b50afed17fda5a218c7ac50e0a4f051ca9f1a1156a139c5a33c5c7936f0e874c2150c2e52073705e9eb69d4a536a422b4332fbe9bc7750af3978
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
239B
MD57b89423871a8b3429c0db4483f1e3044
SHA1d305d32237a5792a9b46be8dff420942db6c6def
SHA2564e7c195e29839c46e13df90229a2c801432861f9b5f478cc7b439e0b21cf1217
SHA512b6d83fb39d30af7c75a2569085438fb21f27a1d132646daeebeeae0d15498b4eeaae2c5cfd9f520b329086952803f1da2c932154c198d68a4d5022a34941acf9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD52080a30ad75a4eb9f773bd15e1308bac
SHA1ca0434b8ef111f91efd7931840e133ec728b367f
SHA25603dc9f2e934f1317480b0f1f5e6f08a1a81f37d65976f26fa011974e6df8b5ab
SHA512a6904126e3ce4b3857b7cbbb9768ed041b0aac3946d242ce6e0393e412492554c520df1be0d38458bc8a6de964f05f3d4fb511707872c5bf21904d00244950c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD57e4ec3e3d0f22a7d973a6da51c7b7e3b
SHA14f053f2f39bf1894416d28ebc813a41c277e1d0e
SHA256a6bbf19dc78b74188420e10d6569dd77f4df2e92507848844719b24e854dd91e
SHA5121dec20ae13b7dc9ae4c456d5f092b46d14d2db1d6355b35f5120e16c03ddc5ed0d4e5275718898e920e66467f48f55c71d9f2d36b081dd9b3492b4bbcebb348d
-
Filesize
512KB
MD5a172ac4e8925f89aca78fe686fbdf8b0
SHA1480baa3f0d6845373f99b087c90e809d1aee7832
SHA256a81ab5d98e19d9859e914e3419ab62dcafddfcba2e5a1607261b648f04cee2ac
SHA512bca75eba5f8ada30558b21cc5369b088eafc9a91b33fa944ca9b73961788d9975963c0fa91778f4ae108cab97f2124d0420cb948000801de4bfc2757bfe368f5
-
Filesize
512KB
MD574bc3e4e2d449ac146e7945718a91d47
SHA1b649e64c23edb207b63a266324bf94f4c95aabe2
SHA256de12824bd2771e62b96b6f9d2a05bb86064aa31c40ff3875a871791d8070e36d
SHA51225a311389ddda754535fb36876a841c0feea1c28f7d0c4c33be54a4a58c6a5923ac1893b6627f66f0aee46c2723523b3459da72463fa3d40b529528f6f8a73e1
-
Filesize
512KB
MD5bae5df7c7ea057d18523b9e09bf5afe9
SHA1dbd630714f2720ea5759523aea4214d5e1dc210d
SHA256b0a0c34a9aeac5e3a141fe9dcb1ab39c3cd8a686a57e9d8c0f301eec648e0141
SHA512c16ebc29fd899ea12d31222a744b91f3d79cbbcc5b66de486e38a16db345ce747ee4976a4a02b2caef1f5c2acd2e0cf21fe482443a55fa5baf5c2158dbe008ae
-
Filesize
512KB
MD5654ecdffbdb73f618f83834e8941618a
SHA1345c29bde7bc1c4b5cbf0be8bd91862328910e84
SHA25693945742a985ff2bf8cde4f76cb42776897176cfd50791a22a2a0c55c7c93c80
SHA5128823a9b39c23a867308b3b5e03b02f79a43e154d8184d5f9d899e97c7cc9793ce30fc325ff4d7bc7ce24315c24c0d1536d86576f09792fad621d1efba77402a6
-
Filesize
512KB
MD586215921b6e813a327207277a86d41fc
SHA1a98a964673e3761dda595eea83a6db22a47fc52c
SHA2562e74e0cf2ee5b4c265984895a93a2528c67c81fd6aac0b5d85ea259cc849a2e7
SHA512b828723cae654da635316fbe6fb85f2fe3d5b98c436f66e6daf034004d4177c640f9d434374545ddc0658b9c66e39989d3b9c970bb206f2c89a732f167884d71
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD528da667214245fc0aa7c11a5fc3f213a
SHA1f57a86e61d959c6ac69681d50452e66a35c87feb
SHA25688c92c88f49fa7afbf5c9b3102bc6f3a81b3ef4699e5d7f011ec8cd51536b5ef
SHA512db8694d79412b626f070e3929a908fdd3b363fdc3ccb2e2d566588cf45a4dc7dabb22556189b7653e0fe3230b11639bf0c079388cc10e04ce7f0d6eb70ba9fcf
-
Filesize
512KB
MD57bd6110386042b0da0dbf47b8e86e265
SHA1e7c2301f782bb784595120f144ff48c5fb68ba0a
SHA25648499263ddbecee9580305f99f33d435f7661bc3008cf565b3b1832c5daed540
SHA512274b8585ba79ec7230da15caeec75eda13ee910560836eaab998dec44cf2d6ca62ea0138e68c996b9a34c3728a5d35e4668fab179c39cdbd8c266eb7f52e7fe5