Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 11:26
Static task
static1
Behavioral task
behavioral1
Sample
45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe
-
Size
512KB
-
MD5
45f3f7dd5bc12614c370b2a84797a6b2
-
SHA1
26277c4faa6a311d28f23331d6e6a83985bbbcf9
-
SHA256
9c41efa16ee9811daf1d79794ceadd5475fcd294166d5664fdf1a835e5a7b1ef
-
SHA512
186fc2af56e02ebb7c5eba6e2a06feafa3af85481f18e677729da82d2bf14ec2e351646c683a64136522120b960e90e597fbf042e50fc0f0e0e28eb3f81ff2d0
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm56
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" yudfnnnlpv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yudfnnnlpv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yudfnnnlpv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yudfnnnlpv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yudfnnnlpv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yudfnnnlpv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" yudfnnnlpv.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yudfnnnlpv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1404 yudfnnnlpv.exe 4004 vxmrthcqdhnujma.exe 4568 qafzzzqe.exe 1032 nnbiworpfdovf.exe 5096 qafzzzqe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yudfnnnlpv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yudfnnnlpv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yudfnnnlpv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" yudfnnnlpv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yudfnnnlpv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" yudfnnnlpv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\clggejgy = "vxmrthcqdhnujma.exe" vxmrthcqdhnujma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "nnbiworpfdovf.exe" vxmrthcqdhnujma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfzrcznf = "yudfnnnlpv.exe" vxmrthcqdhnujma.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: qafzzzqe.exe File opened (read-only) \??\v: qafzzzqe.exe File opened (read-only) \??\o: yudfnnnlpv.exe File opened (read-only) \??\p: yudfnnnlpv.exe File opened (read-only) \??\a: qafzzzqe.exe File opened (read-only) \??\e: qafzzzqe.exe File opened (read-only) \??\j: qafzzzqe.exe File opened (read-only) \??\r: yudfnnnlpv.exe File opened (read-only) \??\n: qafzzzqe.exe File opened (read-only) \??\p: qafzzzqe.exe File opened (read-only) \??\a: yudfnnnlpv.exe File opened (read-only) \??\e: yudfnnnlpv.exe File opened (read-only) \??\y: qafzzzqe.exe File opened (read-only) \??\k: qafzzzqe.exe File opened (read-only) \??\v: yudfnnnlpv.exe File opened (read-only) \??\s: qafzzzqe.exe File opened (read-only) \??\i: qafzzzqe.exe File opened (read-only) \??\q: qafzzzqe.exe File opened (read-only) \??\v: qafzzzqe.exe File opened (read-only) \??\s: yudfnnnlpv.exe File opened (read-only) \??\b: qafzzzqe.exe File opened (read-only) \??\u: qafzzzqe.exe File opened (read-only) \??\t: qafzzzqe.exe File opened (read-only) \??\x: yudfnnnlpv.exe File opened (read-only) \??\r: qafzzzqe.exe File opened (read-only) \??\e: qafzzzqe.exe File opened (read-only) \??\j: qafzzzqe.exe File opened (read-only) \??\u: qafzzzqe.exe File opened (read-only) \??\l: yudfnnnlpv.exe File opened (read-only) \??\n: yudfnnnlpv.exe File opened (read-only) \??\z: qafzzzqe.exe File opened (read-only) \??\l: qafzzzqe.exe File opened (read-only) \??\t: yudfnnnlpv.exe File opened (read-only) \??\i: qafzzzqe.exe File opened (read-only) \??\w: yudfnnnlpv.exe File opened (read-only) \??\y: yudfnnnlpv.exe File opened (read-only) \??\b: qafzzzqe.exe File opened (read-only) \??\x: qafzzzqe.exe File opened (read-only) \??\y: qafzzzqe.exe File opened (read-only) \??\g: yudfnnnlpv.exe File opened (read-only) \??\i: yudfnnnlpv.exe File opened (read-only) \??\k: qafzzzqe.exe File opened (read-only) \??\p: qafzzzqe.exe File opened (read-only) \??\q: qafzzzqe.exe File opened (read-only) \??\h: qafzzzqe.exe File opened (read-only) \??\o: qafzzzqe.exe File opened (read-only) \??\r: qafzzzqe.exe File opened (read-only) \??\k: yudfnnnlpv.exe File opened (read-only) \??\m: yudfnnnlpv.exe File opened (read-only) \??\n: qafzzzqe.exe File opened (read-only) \??\x: qafzzzqe.exe File opened (read-only) \??\b: yudfnnnlpv.exe File opened (read-only) \??\h: yudfnnnlpv.exe File opened (read-only) \??\t: qafzzzqe.exe File opened (read-only) \??\g: qafzzzqe.exe File opened (read-only) \??\w: qafzzzqe.exe File opened (read-only) \??\z: yudfnnnlpv.exe File opened (read-only) \??\h: qafzzzqe.exe File opened (read-only) \??\o: qafzzzqe.exe File opened (read-only) \??\z: qafzzzqe.exe File opened (read-only) \??\j: yudfnnnlpv.exe File opened (read-only) \??\a: qafzzzqe.exe File opened (read-only) \??\m: qafzzzqe.exe File opened (read-only) \??\q: yudfnnnlpv.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" yudfnnnlpv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" yudfnnnlpv.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4328-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000800000002340b-5.dat autoit_exe behavioral2/files/0x000700000002340c-27.dat autoit_exe behavioral2/files/0x000a0000000233c0-19.dat autoit_exe behavioral2/files/0x000700000002340d-31.dat autoit_exe behavioral2/files/0x0007000000023419-66.dat autoit_exe behavioral2/files/0x000800000002338c-90.dat autoit_exe behavioral2/files/0x000800000002338c-393.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\qafzzzqe.exe 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\nnbiworpfdovf.exe 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qafzzzqe.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qafzzzqe.exe File created C:\Windows\SysWOW64\yudfnnnlpv.exe 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vxmrthcqdhnujma.exe 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe File created C:\Windows\SysWOW64\qafzzzqe.exe 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe File created C:\Windows\SysWOW64\nnbiworpfdovf.exe 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll yudfnnnlpv.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qafzzzqe.exe File opened for modification C:\Windows\SysWOW64\yudfnnnlpv.exe 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe File created C:\Windows\SysWOW64\vxmrthcqdhnujma.exe 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qafzzzqe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qafzzzqe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qafzzzqe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qafzzzqe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qafzzzqe.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qafzzzqe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qafzzzqe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qafzzzqe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qafzzzqe.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qafzzzqe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qafzzzqe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qafzzzqe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qafzzzqe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qafzzzqe.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qafzzzqe.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qafzzzqe.exe File opened for modification C:\Windows\mydoc.rtf 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qafzzzqe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qafzzzqe.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qafzzzqe.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qafzzzqe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qafzzzqe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qafzzzqe.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qafzzzqe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qafzzzqe.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qafzzzqe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qafzzzqe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qafzzzqe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qafzzzqe.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qafzzzqe.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qafzzzqe.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qafzzzqe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc yudfnnnlpv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf yudfnnnlpv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" yudfnnnlpv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" yudfnnnlpv.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" yudfnnnlpv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat yudfnnnlpv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" yudfnnnlpv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352D7D9C2D83596A3276A570512CAB7C8E65DF" 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFF89485D85189046D7287E97BC94E134594367316241D7E9" 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh yudfnnnlpv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" yudfnnnlpv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs yudfnnnlpv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAF9BCF960F2E084743B3286983E90B08B02FC4366023CE1C442ED08D2" 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F26BB3FF6E22DAD273D1A48A0C9117" 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" yudfnnnlpv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg yudfnnnlpv.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB12B479338E852C4B9A733EDD7B8" 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC67D15E5DAC7B8C17C97EDE037B9" 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4444 WINWORD.EXE 4444 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 1404 yudfnnnlpv.exe 1404 yudfnnnlpv.exe 1404 yudfnnnlpv.exe 1404 yudfnnnlpv.exe 1404 yudfnnnlpv.exe 1404 yudfnnnlpv.exe 1404 yudfnnnlpv.exe 1404 yudfnnnlpv.exe 1404 yudfnnnlpv.exe 1404 yudfnnnlpv.exe 1032 nnbiworpfdovf.exe 1032 nnbiworpfdovf.exe 1032 nnbiworpfdovf.exe 1032 nnbiworpfdovf.exe 1032 nnbiworpfdovf.exe 1032 nnbiworpfdovf.exe 1032 nnbiworpfdovf.exe 1032 nnbiworpfdovf.exe 1032 nnbiworpfdovf.exe 1032 nnbiworpfdovf.exe 1032 nnbiworpfdovf.exe 1032 nnbiworpfdovf.exe 4004 vxmrthcqdhnujma.exe 4004 vxmrthcqdhnujma.exe 4004 vxmrthcqdhnujma.exe 4004 vxmrthcqdhnujma.exe 4004 vxmrthcqdhnujma.exe 4004 vxmrthcqdhnujma.exe 4004 vxmrthcqdhnujma.exe 4004 vxmrthcqdhnujma.exe 4568 qafzzzqe.exe 4568 qafzzzqe.exe 4568 qafzzzqe.exe 4568 qafzzzqe.exe 4568 qafzzzqe.exe 4568 qafzzzqe.exe 4568 qafzzzqe.exe 4568 qafzzzqe.exe 4004 vxmrthcqdhnujma.exe 4004 vxmrthcqdhnujma.exe 5096 qafzzzqe.exe 5096 qafzzzqe.exe 5096 qafzzzqe.exe 5096 qafzzzqe.exe 5096 qafzzzqe.exe 5096 qafzzzqe.exe 5096 qafzzzqe.exe 5096 qafzzzqe.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 1404 yudfnnnlpv.exe 1404 yudfnnnlpv.exe 1404 yudfnnnlpv.exe 4004 vxmrthcqdhnujma.exe 4004 vxmrthcqdhnujma.exe 4004 vxmrthcqdhnujma.exe 1032 nnbiworpfdovf.exe 4568 qafzzzqe.exe 1032 nnbiworpfdovf.exe 4568 qafzzzqe.exe 1032 nnbiworpfdovf.exe 4568 qafzzzqe.exe 5096 qafzzzqe.exe 5096 qafzzzqe.exe 5096 qafzzzqe.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 1404 yudfnnnlpv.exe 1404 yudfnnnlpv.exe 1404 yudfnnnlpv.exe 4004 vxmrthcqdhnujma.exe 4004 vxmrthcqdhnujma.exe 4004 vxmrthcqdhnujma.exe 1032 nnbiworpfdovf.exe 4568 qafzzzqe.exe 1032 nnbiworpfdovf.exe 4568 qafzzzqe.exe 1032 nnbiworpfdovf.exe 4568 qafzzzqe.exe 5096 qafzzzqe.exe 5096 qafzzzqe.exe 5096 qafzzzqe.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4444 WINWORD.EXE 4444 WINWORD.EXE 4444 WINWORD.EXE 4444 WINWORD.EXE 4444 WINWORD.EXE 4444 WINWORD.EXE 4444 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4328 wrote to memory of 1404 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 82 PID 4328 wrote to memory of 1404 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 82 PID 4328 wrote to memory of 1404 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 82 PID 4328 wrote to memory of 4004 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 83 PID 4328 wrote to memory of 4004 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 83 PID 4328 wrote to memory of 4004 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 83 PID 4328 wrote to memory of 4568 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 84 PID 4328 wrote to memory of 4568 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 84 PID 4328 wrote to memory of 4568 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 84 PID 4328 wrote to memory of 1032 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 85 PID 4328 wrote to memory of 1032 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 85 PID 4328 wrote to memory of 1032 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 85 PID 1404 wrote to memory of 5096 1404 yudfnnnlpv.exe 88 PID 1404 wrote to memory of 5096 1404 yudfnnnlpv.exe 88 PID 1404 wrote to memory of 5096 1404 yudfnnnlpv.exe 88 PID 4328 wrote to memory of 4444 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 87 PID 4328 wrote to memory of 4444 4328 45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\45f3f7dd5bc12614c370b2a84797a6b2_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\yudfnnnlpv.exeyudfnnnlpv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\qafzzzqe.exeC:\Windows\system32\qafzzzqe.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5096
-
-
-
C:\Windows\SysWOW64\vxmrthcqdhnujma.exevxmrthcqdhnujma.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4004
-
-
C:\Windows\SysWOW64\qafzzzqe.exeqafzzzqe.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4568
-
-
C:\Windows\SysWOW64\nnbiworpfdovf.exennbiworpfdovf.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1032
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4444
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD56fef6b6c23b2b8357402ed3e3aaa0364
SHA16a051e9ae85ea93dd9e8f6d34c75511fbe474362
SHA2566e389eeba18767e84eb45e7b211bb888250053b7dc30fa38c1697f60e3a10f76
SHA5127fa8e60a32141fbb85745615df57f823e7aa2cb718f3c0dd69539168f1b80cb372ed41071fc65c848337548eef1772a4998dd0574ccdfabf7b11be67c2527aa5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5bd241f6c60539261879146745bd3b566
SHA166a67357fc294cb0eba6d3b2190dabfe8f3d0610
SHA256918c672ae8824325527ba44f257786ddd671bf509f5337fbf17d885d3a6a7403
SHA512d0ef4482a3b1b9e4030db04b694ee6bb9ff3e6b12a1a40b21dbd935a68abeeebcde33a9e9eb26e826ccb165bb0b4b72186110cc2dac2a4b18236a452e88023b3
-
Filesize
512KB
MD5947e6023e53ec81ca90a1249615ca639
SHA16901e97dec32d101b7915f386f0c4e42d0aab11d
SHA256f309e0d22271d1a624ae120630a49a1a22a01c981d7d034c87e32aca505aa612
SHA512153a2eea669804d35fcb0d7a01a405a799f430a7545e78abf54552276ebb14c5d6fcc9d2aaa14b7946f18d956f2ca9fda1ac9f06b8937c46ecb3305a1f61fd10
-
Filesize
512KB
MD50a0837287e80894b9941644e94b5ab55
SHA1696942f5195d21fff89f456c9b8eaae399f3fc83
SHA2567ccc6c2329a239bb44bd6685024e202f8726fc664b7f0d676bfbdcb76b2b9406
SHA5129df0b5f3f1e0e47846b0fa94406b284c24f46f464c9f4c7e39abfbd2be891422f7c367b075fd1b8da45eba4a3d2f4fd82c630c8758069004b8a9f92f98ef33cd
-
Filesize
512KB
MD591ef34209e8e14c07c8682abc927de07
SHA1d0e649b31abb3eb2ccf7849490f846db0923787c
SHA2562d035127127216e85511cce6ee0a32eebb0bd53f7ad1a8bc2668e3496d66c8a6
SHA512efa6ee3ec75dcf0d0753e4e0d198c209878dd358b1d28ab4ccf8861ab9736caf897f5a68979bed632a33c0807fe95d5d9be1928c2298de8b7f4a15ef35550b97
-
Filesize
512KB
MD56811422361b338598c940e1606edd24b
SHA1df3c8a07d07066ecad246479d007242b9e59ab1a
SHA256030f06209486564f3b4f66928ce4413766da3b224f941f7098b045a6ad64df3d
SHA5129e78e8c4af6a66bebb4c63149d20d0c4aacad678c691c5aa40cb9ecdddd171884e12eeeb70a744c852b8a05f86fa9d21eae04690072bc34aac66e89606162357
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD51c9ae90bbcaeceda0ea45c0428c77379
SHA1422be7ca62c9ff74689e202b40c79a0929f5dcb6
SHA256192ad06d0e66eda2671cbb028216038ae44cb8f1651b327a89edc55f9aa92406
SHA512b819f715d9ba502e3a66c087cb83a62cd071f2ffa241bcf0adb382488faa7653beb004a48084223ba31e5fde2e999b974d3d243ed058ba79c463f51aba9f6690
-
Filesize
512KB
MD596f873e095f84ff3ec8103415f6edf17
SHA11ed96de56e677f320b8f1637c155f2a6f7fcdb90
SHA25600743050b5fb98550d129656142e29c78a1099225d0414ac74f8717795e49158
SHA512183e380aa93f5435995e0d9283e7e6170616ac162f86dd8c12d8d19022d15842a3f5601b413ab4f159e4704fbefb23d405dadb43e9f77590f1305ebcbc783ed7
-
Filesize
512KB
MD56d57b43749a221d704dff43c50a337ac
SHA1f12cfdb31af9caabc808ea296de06e31bedfe253
SHA25659c40c17099597db4479e2ada871b81b28f1daf6eb788b9e989b82aff7260bea
SHA512b6fdcbb0067be5aacb79f57973e1485fa81e6ac644ac12207eeb1f228b40b2643aeb91d85f0a4cbcb25a88669844f9916b0b0b320bc8ecd35d3c7d2d527ac00b