Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23/05/2024, 17:53
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe
-
Size
512KB
-
MD5
6bc7146d386e26ce3ce7519cddf3938b
-
SHA1
81866157e77f2df4840f23a2f14a38cb85574e1f
-
SHA256
ea38bfc76603bf0d69cff913671ebfce4fcebfb9574e99754dcf017427360155
-
SHA512
89b090580e532c508682ea9acfac942d2d06a90a984614ad4ad7743b7ffc995c712231c62d14424eae9d2b6fafcbacc5302e9b27438fd22762fa6ebf3e4e9b37
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj61:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5O
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" iqfeqkumxj.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" iqfeqkumxj.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iqfeqkumxj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" iqfeqkumxj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iqfeqkumxj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" iqfeqkumxj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" iqfeqkumxj.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iqfeqkumxj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4944 iqfeqkumxj.exe 3620 bemujughgqjkhli.exe 1836 plhpnbid.exe 3040 sjwqzmjdmuwwt.exe 3140 plhpnbid.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" iqfeqkumxj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iqfeqkumxj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" iqfeqkumxj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iqfeqkumxj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" iqfeqkumxj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" iqfeqkumxj.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tycatywb = "iqfeqkumxj.exe" bemujughgqjkhli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xcbwysjn = "bemujughgqjkhli.exe" bemujughgqjkhli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "sjwqzmjdmuwwt.exe" bemujughgqjkhli.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\t: iqfeqkumxj.exe File opened (read-only) \??\w: plhpnbid.exe File opened (read-only) \??\k: iqfeqkumxj.exe File opened (read-only) \??\b: iqfeqkumxj.exe File opened (read-only) \??\a: iqfeqkumxj.exe File opened (read-only) \??\u: plhpnbid.exe File opened (read-only) \??\i: iqfeqkumxj.exe File opened (read-only) \??\b: plhpnbid.exe File opened (read-only) \??\h: plhpnbid.exe File opened (read-only) \??\i: plhpnbid.exe File opened (read-only) \??\p: plhpnbid.exe File opened (read-only) \??\u: plhpnbid.exe File opened (read-only) \??\j: plhpnbid.exe File opened (read-only) \??\r: iqfeqkumxj.exe File opened (read-only) \??\u: iqfeqkumxj.exe File opened (read-only) \??\v: iqfeqkumxj.exe File opened (read-only) \??\e: plhpnbid.exe File opened (read-only) \??\j: plhpnbid.exe File opened (read-only) \??\x: plhpnbid.exe File opened (read-only) \??\y: plhpnbid.exe File opened (read-only) \??\e: iqfeqkumxj.exe File opened (read-only) \??\j: iqfeqkumxj.exe File opened (read-only) \??\p: iqfeqkumxj.exe File opened (read-only) \??\x: plhpnbid.exe File opened (read-only) \??\z: plhpnbid.exe File opened (read-only) \??\l: iqfeqkumxj.exe File opened (read-only) \??\x: iqfeqkumxj.exe File opened (read-only) \??\y: iqfeqkumxj.exe File opened (read-only) \??\o: plhpnbid.exe File opened (read-only) \??\v: plhpnbid.exe File opened (read-only) \??\a: plhpnbid.exe File opened (read-only) \??\g: plhpnbid.exe File opened (read-only) \??\r: plhpnbid.exe File opened (read-only) \??\h: plhpnbid.exe File opened (read-only) \??\s: plhpnbid.exe File opened (read-only) \??\m: plhpnbid.exe File opened (read-only) \??\q: plhpnbid.exe File opened (read-only) \??\q: iqfeqkumxj.exe File opened (read-only) \??\b: plhpnbid.exe File opened (read-only) \??\s: iqfeqkumxj.exe File opened (read-only) \??\y: plhpnbid.exe File opened (read-only) \??\n: plhpnbid.exe File opened (read-only) \??\z: plhpnbid.exe File opened (read-only) \??\e: plhpnbid.exe File opened (read-only) \??\n: plhpnbid.exe File opened (read-only) \??\o: plhpnbid.exe File opened (read-only) \??\w: plhpnbid.exe File opened (read-only) \??\o: iqfeqkumxj.exe File opened (read-only) \??\k: plhpnbid.exe File opened (read-only) \??\i: plhpnbid.exe File opened (read-only) \??\s: plhpnbid.exe File opened (read-only) \??\g: iqfeqkumxj.exe File opened (read-only) \??\m: iqfeqkumxj.exe File opened (read-only) \??\z: iqfeqkumxj.exe File opened (read-only) \??\k: plhpnbid.exe File opened (read-only) \??\t: plhpnbid.exe File opened (read-only) \??\g: plhpnbid.exe File opened (read-only) \??\r: plhpnbid.exe File opened (read-only) \??\v: plhpnbid.exe File opened (read-only) \??\h: iqfeqkumxj.exe File opened (read-only) \??\a: plhpnbid.exe File opened (read-only) \??\l: plhpnbid.exe File opened (read-only) \??\q: plhpnbid.exe File opened (read-only) \??\m: plhpnbid.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" iqfeqkumxj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" iqfeqkumxj.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2412-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023451-5.dat autoit_exe behavioral2/files/0x0008000000023450-18.dat autoit_exe behavioral2/files/0x0007000000023452-25.dat autoit_exe behavioral2/files/0x0007000000023453-29.dat autoit_exe behavioral2/files/0x0008000000023413-70.dat autoit_exe behavioral2/files/0x00020000000229af-66.dat autoit_exe behavioral2/files/0x000a00000002338a-79.dat autoit_exe behavioral2/files/0x0008000000023461-97.dat autoit_exe behavioral2/files/0x0008000000023461-516.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\iqfeqkumxj.exe 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bemujughgqjkhli.exe 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe File created C:\Windows\SysWOW64\sjwqzmjdmuwwt.exe 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe plhpnbid.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe plhpnbid.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe plhpnbid.exe File opened for modification C:\Windows\SysWOW64\iqfeqkumxj.exe 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe File created C:\Windows\SysWOW64\bemujughgqjkhli.exe 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe File created C:\Windows\SysWOW64\plhpnbid.exe 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\plhpnbid.exe 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sjwqzmjdmuwwt.exe 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll iqfeqkumxj.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe plhpnbid.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe plhpnbid.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe plhpnbid.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal plhpnbid.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal plhpnbid.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe plhpnbid.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe plhpnbid.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe plhpnbid.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe plhpnbid.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal plhpnbid.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal plhpnbid.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe plhpnbid.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe plhpnbid.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe plhpnbid.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe plhpnbid.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe plhpnbid.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe plhpnbid.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe plhpnbid.exe File opened for modification C:\Windows\mydoc.rtf 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe plhpnbid.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe plhpnbid.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe plhpnbid.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe plhpnbid.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe plhpnbid.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe plhpnbid.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe plhpnbid.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe plhpnbid.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe plhpnbid.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe plhpnbid.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe plhpnbid.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe plhpnbid.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe plhpnbid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECBB15F47E638E253BFBAD0329CD7BB" 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" iqfeqkumxj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" iqfeqkumxj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" iqfeqkumxj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" iqfeqkumxj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFAB1F960F2E5837A3A44869C3999B088038A43620332E1BD42EC08A3" 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat iqfeqkumxj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" iqfeqkumxj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" iqfeqkumxj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFF8D4F2782699032D72A7DE6BD90E144584266406242D690" 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F568C3FE6721D9D10FD1A78B7E9113" 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf iqfeqkumxj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs iqfeqkumxj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg iqfeqkumxj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33352D799C5683236D4676A277232CAC7C8664AA" 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C60B15E0DBC7B9CD7FE7ED9434C7" 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh iqfeqkumxj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc iqfeqkumxj.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1508 WINWORD.EXE 1508 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 3620 bemujughgqjkhli.exe 3620 bemujughgqjkhli.exe 3620 bemujughgqjkhli.exe 3620 bemujughgqjkhli.exe 3620 bemujughgqjkhli.exe 3620 bemujughgqjkhli.exe 3620 bemujughgqjkhli.exe 3620 bemujughgqjkhli.exe 1836 plhpnbid.exe 1836 plhpnbid.exe 3620 bemujughgqjkhli.exe 3620 bemujughgqjkhli.exe 1836 plhpnbid.exe 1836 plhpnbid.exe 1836 plhpnbid.exe 1836 plhpnbid.exe 1836 plhpnbid.exe 1836 plhpnbid.exe 4944 iqfeqkumxj.exe 4944 iqfeqkumxj.exe 4944 iqfeqkumxj.exe 4944 iqfeqkumxj.exe 4944 iqfeqkumxj.exe 4944 iqfeqkumxj.exe 4944 iqfeqkumxj.exe 4944 iqfeqkumxj.exe 4944 iqfeqkumxj.exe 4944 iqfeqkumxj.exe 3040 sjwqzmjdmuwwt.exe 3040 sjwqzmjdmuwwt.exe 3040 sjwqzmjdmuwwt.exe 3040 sjwqzmjdmuwwt.exe 3040 sjwqzmjdmuwwt.exe 3040 sjwqzmjdmuwwt.exe 3040 sjwqzmjdmuwwt.exe 3040 sjwqzmjdmuwwt.exe 3040 sjwqzmjdmuwwt.exe 3040 sjwqzmjdmuwwt.exe 3040 sjwqzmjdmuwwt.exe 3040 sjwqzmjdmuwwt.exe 3620 bemujughgqjkhli.exe 3620 bemujughgqjkhli.exe 3140 plhpnbid.exe 3140 plhpnbid.exe 3140 plhpnbid.exe 3140 plhpnbid.exe 3140 plhpnbid.exe 3140 plhpnbid.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 4944 iqfeqkumxj.exe 4944 iqfeqkumxj.exe 4944 iqfeqkumxj.exe 3620 bemujughgqjkhli.exe 3620 bemujughgqjkhli.exe 3620 bemujughgqjkhli.exe 1836 plhpnbid.exe 1836 plhpnbid.exe 1836 plhpnbid.exe 3040 sjwqzmjdmuwwt.exe 3040 sjwqzmjdmuwwt.exe 3040 sjwqzmjdmuwwt.exe 3140 plhpnbid.exe 3140 plhpnbid.exe 3140 plhpnbid.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 4944 iqfeqkumxj.exe 4944 iqfeqkumxj.exe 4944 iqfeqkumxj.exe 3620 bemujughgqjkhli.exe 3620 bemujughgqjkhli.exe 3620 bemujughgqjkhli.exe 1836 plhpnbid.exe 1836 plhpnbid.exe 1836 plhpnbid.exe 3040 sjwqzmjdmuwwt.exe 3040 sjwqzmjdmuwwt.exe 3040 sjwqzmjdmuwwt.exe 3140 plhpnbid.exe 3140 plhpnbid.exe 3140 plhpnbid.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1508 WINWORD.EXE 1508 WINWORD.EXE 1508 WINWORD.EXE 1508 WINWORD.EXE 1508 WINWORD.EXE 1508 WINWORD.EXE 1508 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2412 wrote to memory of 4944 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 85 PID 2412 wrote to memory of 4944 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 85 PID 2412 wrote to memory of 4944 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 85 PID 2412 wrote to memory of 3620 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 86 PID 2412 wrote to memory of 3620 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 86 PID 2412 wrote to memory of 3620 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 86 PID 2412 wrote to memory of 1836 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 87 PID 2412 wrote to memory of 1836 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 87 PID 2412 wrote to memory of 1836 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 87 PID 2412 wrote to memory of 3040 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 88 PID 2412 wrote to memory of 3040 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 88 PID 2412 wrote to memory of 3040 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 88 PID 2412 wrote to memory of 1508 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 89 PID 2412 wrote to memory of 1508 2412 6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe 89 PID 4944 wrote to memory of 3140 4944 iqfeqkumxj.exe 91 PID 4944 wrote to memory of 3140 4944 iqfeqkumxj.exe 91 PID 4944 wrote to memory of 3140 4944 iqfeqkumxj.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6bc7146d386e26ce3ce7519cddf3938b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\iqfeqkumxj.exeiqfeqkumxj.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\plhpnbid.exeC:\Windows\system32\plhpnbid.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3140
-
-
-
C:\Windows\SysWOW64\bemujughgqjkhli.exebemujughgqjkhli.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3620
-
-
C:\Windows\SysWOW64\plhpnbid.exeplhpnbid.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1836
-
-
C:\Windows\SysWOW64\sjwqzmjdmuwwt.exesjwqzmjdmuwwt.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3040
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1508
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5c382e43ade23edcf7d6125d7a603f35c
SHA18f16bac49980f3f1f19ccaf711755f1d1a08d658
SHA256a11c092ec39d5863abf718438cb0f7567c84439da37f48d6974b4c5c961c57ce
SHA512c3a8e11290b1e524185cf1c6d3e63c280c74b9cfa38ce8ca5e1b318d94a926c51311f888c832b6d5ea5a65d5f65d594e3ae5bcc04975cee002c2066b955bbc47
-
Filesize
512KB
MD56fa0e361fb800f79d5cfa10b521eba5d
SHA1de2c4ee20d8d604696c0af1c3663b83c4d45de73
SHA256d83ad49564a7c0c82d0db6462c1708e3a2062eb03c503507c5677dd3b6706350
SHA512f9270c008c29caa33f4afce88ab06c6ce6c4e9e89958e35fbe5fe274ccc3f163aa2c3bc4722b8087aef54f3131ebe4a7e1733b592a953892edba59077e6c2ec3
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5c807382cbeaadfa15aed12e6c04410fb
SHA119ba453f1f3752c6224d1cd24000845264824847
SHA256b0a85c61157f2c0f0a7adf982a08d3169770367a0ef0d2f180ea29bae1be0c76
SHA512591a1a032b86d0e1ceb3768297369bb9dcd7b8ec3de0f7c8b216c67c140a9ef3cf28ee770c40bef3295a4cdd89936bbf00623505d9c220a913b214e40ef2a860
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5d48c9bf8f2810cd24beab4c8461d67b1
SHA1fd4c5a2dd7f71ece7fdded063733a3676a791145
SHA256fbe84041f594c3ddfec33f4c88487e9a189f9e944f063b16bfb6c51a6cdd5b71
SHA5127cc8609852b5acb27ab14761884438ce65b90015556d21a2d585c5587a6fbb571f79363177556f1560727301f357086ad50e2d02a845d964651c98f556df6fa2
-
Filesize
512KB
MD513390f1e48436bb4514d0e8991dc542f
SHA1beedf05558ffe6d08abff4e3fd7450981d3b5fce
SHA256ec0a1bc8852931bc15aaa3e1c9ec2edcb5b31f1313c5b37ce38e7a1dc6bea47e
SHA512f6600037879b2cd23d2a60716e0dce8c27e19978a8aaee066588f213262a83ab6dcce6d0be37623f2cf08291f4acab4908fa0cb9ef9ec7de039fc537bcd92a57
-
Filesize
512KB
MD565b853b2baf8a2ebafcdce3ab898c9b1
SHA1aa9995beff690b6da9613216365a88bf7256e408
SHA256c0b6c7ede2ac40c6878a886a8e51dad32fc895234190620da0382ed1f2057acb
SHA512ccda78425c185d91ee3597708ed3e29ab22f3919890a2a0ef749e19029b70f3103f39baeae5842ad5e9e351d53b82c635e7dc9661bd1e4b249dcc0e7231f08f4
-
Filesize
512KB
MD57c7744424a8e1fe2a6d27b5692950b02
SHA1233987a130fc2154f7dff4c9b1aa08f3e957e5bb
SHA256449aad4aa9109ea4e2d49d763f7c8f3b9c99b158c7a174f0c7da8f1d8c09d9c0
SHA512bbeba5fce910d24885108832c1434bc01a5ea208c177ec47a935b7e99e010c9225b5d70b888dbb26ef11022e4e1d2a8a2502b25d9e1f601b58c2da6b64c996b1
-
Filesize
512KB
MD597e2c1f9f4f7cab72ec73075fef5096d
SHA1516185cdd49a6d81bbe43ea7d6f213b5bf3546ba
SHA256317b9e41b423f4c895e98909a8098df30b22dc454d31940378dbc28cdbf19c8c
SHA5124684786be65848929a362b678eb93dbae10235050b69b4a6c4afd558dcbe123a55f8f00cdc7cc8dfbbac632706c572198aae1a2e484085e5d17c2d461a5fb76a
-
Filesize
512KB
MD5b2b631294ffe29c5024f75cbf7874acb
SHA1d3e832af27455a12d3e496ab0d37807ed54356d1
SHA25620d0202b2fa0771f2dddc3a1a7632c4c8685f5687b16c70c5a31e7281140ab07
SHA5128678e63b1cadb62969526c3fd7c286c303c9490256dadb76b5e68fb831bbadd01f7f71167d9a7282db6de8fb47129f92a16cc0d5a2433665d8423f041b6a5d22
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5344ff4674b47585dcd3d0348b0312970
SHA129ecd22d7673e02560d102c04b2a383a14119bdb
SHA256e6a10df354e6c6ef1ee873ba1aad5a0188c902dd03ee840251ce8fb010bd0934
SHA51202dcf164a56199f46f850f73cdd2348973dc1f341648565f559adb57e5c3e4d8bb5ad5bc29edf4a737a08a9bae13e4f312ad3f89aba5759cec2a3c504509f226
-
Filesize
512KB
MD5def0ffdb9afc24038d59222a93060a97
SHA1dcb8499ca56d9e5529d7d98b185aca9da05384ce
SHA2567a46f21179bf6fa236f89af081282fa62b25172248b761df5a3fb0a11fc03dfd
SHA51270dbc57bada271d4bb92c67bbc314f0283c0f1c02efb91d2957063c0b0b0e7ea98777bf724d0e1f06c137bea35022b872a3c636aeb0fe5baea0e42708e2a29f0