Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2024, 23:09
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe
Resource
win7-20240220-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe
-
Size
512KB
-
MD5
824784ab25d55d41cc738213250ea99c
-
SHA1
990a124cb1294aa5af36ff4abcf8dcdf9bee5509
-
SHA256
03c19f0c91c7c4c1b928a84b5ffe9e1c1d49b8be5ea9cadf32a92ca2344dcfbe
-
SHA512
de5672a96ac53f8424e860889c04cc936c60f8a259019635b0931d69e02991c1dfe7247425ad8cf2bcd2dd8ff5923394120531339bc750e357b5945dd981fc27
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5o
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ncrscdttld.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ncrscdttld.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ncrscdttld.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ncrscdttld.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ncrscdttld.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ncrscdttld.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ncrscdttld.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ncrscdttld.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3560 ncrscdttld.exe 1528 faufmyzfvbhopai.exe 860 yhefxscu.exe 4064 txktbcddhikgt.exe 3920 yhefxscu.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ncrscdttld.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ncrscdttld.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ncrscdttld.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ncrscdttld.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ncrscdttld.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ncrscdttld.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahxswlsx = "ncrscdttld.exe" faufmyzfvbhopai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cnratqej = "faufmyzfvbhopai.exe" faufmyzfvbhopai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "txktbcddhikgt.exe" faufmyzfvbhopai.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: yhefxscu.exe File opened (read-only) \??\l: yhefxscu.exe File opened (read-only) \??\u: ncrscdttld.exe File opened (read-only) \??\o: yhefxscu.exe File opened (read-only) \??\v: yhefxscu.exe File opened (read-only) \??\m: yhefxscu.exe File opened (read-only) \??\z: ncrscdttld.exe File opened (read-only) \??\k: yhefxscu.exe File opened (read-only) \??\p: yhefxscu.exe File opened (read-only) \??\q: yhefxscu.exe File opened (read-only) \??\v: yhefxscu.exe File opened (read-only) \??\h: yhefxscu.exe File opened (read-only) \??\j: yhefxscu.exe File opened (read-only) \??\s: yhefxscu.exe File opened (read-only) \??\s: yhefxscu.exe File opened (read-only) \??\w: yhefxscu.exe File opened (read-only) \??\o: ncrscdttld.exe File opened (read-only) \??\u: yhefxscu.exe File opened (read-only) \??\e: yhefxscu.exe File opened (read-only) \??\g: yhefxscu.exe File opened (read-only) \??\z: yhefxscu.exe File opened (read-only) \??\i: yhefxscu.exe File opened (read-only) \??\y: yhefxscu.exe File opened (read-only) \??\m: yhefxscu.exe File opened (read-only) \??\a: ncrscdttld.exe File opened (read-only) \??\x: ncrscdttld.exe File opened (read-only) \??\x: yhefxscu.exe File opened (read-only) \??\j: yhefxscu.exe File opened (read-only) \??\p: yhefxscu.exe File opened (read-only) \??\q: yhefxscu.exe File opened (read-only) \??\r: yhefxscu.exe File opened (read-only) \??\u: yhefxscu.exe File opened (read-only) \??\s: ncrscdttld.exe File opened (read-only) \??\g: yhefxscu.exe File opened (read-only) \??\k: yhefxscu.exe File opened (read-only) \??\o: yhefxscu.exe File opened (read-only) \??\h: ncrscdttld.exe File opened (read-only) \??\i: ncrscdttld.exe File opened (read-only) \??\n: ncrscdttld.exe File opened (read-only) \??\g: ncrscdttld.exe File opened (read-only) \??\j: ncrscdttld.exe File opened (read-only) \??\m: ncrscdttld.exe File opened (read-only) \??\e: yhefxscu.exe File opened (read-only) \??\r: yhefxscu.exe File opened (read-only) \??\h: yhefxscu.exe File opened (read-only) \??\e: ncrscdttld.exe File opened (read-only) \??\v: ncrscdttld.exe File opened (read-only) \??\y: yhefxscu.exe File opened (read-only) \??\l: yhefxscu.exe File opened (read-only) \??\n: yhefxscu.exe File opened (read-only) \??\t: yhefxscu.exe File opened (read-only) \??\p: ncrscdttld.exe File opened (read-only) \??\t: ncrscdttld.exe File opened (read-only) \??\b: yhefxscu.exe File opened (read-only) \??\a: yhefxscu.exe File opened (read-only) \??\r: ncrscdttld.exe File opened (read-only) \??\t: yhefxscu.exe File opened (read-only) \??\w: yhefxscu.exe File opened (read-only) \??\z: yhefxscu.exe File opened (read-only) \??\b: ncrscdttld.exe File opened (read-only) \??\a: yhefxscu.exe File opened (read-only) \??\n: yhefxscu.exe File opened (read-only) \??\b: yhefxscu.exe File opened (read-only) \??\q: ncrscdttld.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ncrscdttld.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ncrscdttld.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4332-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000233fb-5.dat autoit_exe behavioral2/files/0x000a0000000233f2-20.dat autoit_exe behavioral2/files/0x00070000000233fc-28.dat autoit_exe behavioral2/files/0x00070000000233fd-32.dat autoit_exe behavioral2/files/0x00020000000229c3-66.dat autoit_exe behavioral2/files/0x00080000000233ed-69.dat autoit_exe behavioral2/files/0x001900000002293b-79.dat autoit_exe behavioral2/files/0x0003000000022978-85.dat autoit_exe behavioral2/files/0x0019000000023412-578.dat autoit_exe behavioral2/files/0x0019000000023412-586.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe yhefxscu.exe File created C:\Windows\SysWOW64\yhefxscu.exe 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\txktbcddhikgt.exe 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe yhefxscu.exe File created C:\Windows\SysWOW64\faufmyzfvbhopai.exe 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe File created C:\Windows\SysWOW64\txktbcddhikgt.exe 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ncrscdttld.exe File opened for modification C:\Windows\SysWOW64\ncrscdttld.exe 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yhefxscu.exe 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe yhefxscu.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe yhefxscu.exe File created C:\Windows\SysWOW64\ncrscdttld.exe 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\faufmyzfvbhopai.exe 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yhefxscu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yhefxscu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yhefxscu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal yhefxscu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yhefxscu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yhefxscu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yhefxscu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yhefxscu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal yhefxscu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yhefxscu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yhefxscu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal yhefxscu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yhefxscu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal yhefxscu.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe yhefxscu.exe File opened for modification C:\Windows\mydoc.rtf 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe yhefxscu.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe yhefxscu.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe yhefxscu.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe yhefxscu.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe yhefxscu.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe yhefxscu.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe yhefxscu.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe yhefxscu.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe yhefxscu.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe yhefxscu.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe yhefxscu.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe yhefxscu.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe yhefxscu.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe yhefxscu.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe yhefxscu.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ncrscdttld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ncrscdttld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ncrscdttld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ncrscdttld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ncrscdttld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ncrscdttld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ncrscdttld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342C7B9D5282256A3F76D477222DDA7D8264DD" 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F06BC4FF6C22DBD10ED0A28B7A9062" 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ncrscdttld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ncrscdttld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ncrscdttld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ncrscdttld.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC2B15B4792399D52BDB9D132EFD4B8" 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FC8F482B826E9141D75D7D91BD90E143593767356342D690" 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC67F14E0DAC5B9C07FE5EDE234BC" 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ncrscdttld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACAFACCFE13F1E4837D3A3181EA3997B389028F43600349E2CE429A08A3" 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4172 WINWORD.EXE 4172 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 860 yhefxscu.exe 3560 ncrscdttld.exe 860 yhefxscu.exe 3560 ncrscdttld.exe 3560 ncrscdttld.exe 3560 ncrscdttld.exe 3560 ncrscdttld.exe 3560 ncrscdttld.exe 3560 ncrscdttld.exe 3560 ncrscdttld.exe 860 yhefxscu.exe 3560 ncrscdttld.exe 3560 ncrscdttld.exe 860 yhefxscu.exe 860 yhefxscu.exe 860 yhefxscu.exe 860 yhefxscu.exe 860 yhefxscu.exe 4064 txktbcddhikgt.exe 4064 txktbcddhikgt.exe 4064 txktbcddhikgt.exe 4064 txktbcddhikgt.exe 4064 txktbcddhikgt.exe 4064 txktbcddhikgt.exe 1528 faufmyzfvbhopai.exe 1528 faufmyzfvbhopai.exe 4064 txktbcddhikgt.exe 4064 txktbcddhikgt.exe 4064 txktbcddhikgt.exe 4064 txktbcddhikgt.exe 4064 txktbcddhikgt.exe 4064 txktbcddhikgt.exe 1528 faufmyzfvbhopai.exe 1528 faufmyzfvbhopai.exe 1528 faufmyzfvbhopai.exe 1528 faufmyzfvbhopai.exe 1528 faufmyzfvbhopai.exe 1528 faufmyzfvbhopai.exe 1528 faufmyzfvbhopai.exe 1528 faufmyzfvbhopai.exe 1528 faufmyzfvbhopai.exe 1528 faufmyzfvbhopai.exe 4064 txktbcddhikgt.exe 4064 txktbcddhikgt.exe 4064 txktbcddhikgt.exe 4064 txktbcddhikgt.exe 3920 yhefxscu.exe 3920 yhefxscu.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 860 yhefxscu.exe 860 yhefxscu.exe 860 yhefxscu.exe 3560 ncrscdttld.exe 3560 ncrscdttld.exe 3560 ncrscdttld.exe 1528 faufmyzfvbhopai.exe 4064 txktbcddhikgt.exe 1528 faufmyzfvbhopai.exe 4064 txktbcddhikgt.exe 1528 faufmyzfvbhopai.exe 4064 txktbcddhikgt.exe 3920 yhefxscu.exe 3920 yhefxscu.exe 3920 yhefxscu.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 860 yhefxscu.exe 860 yhefxscu.exe 860 yhefxscu.exe 3560 ncrscdttld.exe 3560 ncrscdttld.exe 3560 ncrscdttld.exe 1528 faufmyzfvbhopai.exe 4064 txktbcddhikgt.exe 1528 faufmyzfvbhopai.exe 4064 txktbcddhikgt.exe 1528 faufmyzfvbhopai.exe 4064 txktbcddhikgt.exe 3920 yhefxscu.exe 3920 yhefxscu.exe 3920 yhefxscu.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4172 WINWORD.EXE 4172 WINWORD.EXE 4172 WINWORD.EXE 4172 WINWORD.EXE 4172 WINWORD.EXE 4172 WINWORD.EXE 4172 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4332 wrote to memory of 3560 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 84 PID 4332 wrote to memory of 3560 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 84 PID 4332 wrote to memory of 3560 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 84 PID 4332 wrote to memory of 1528 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 85 PID 4332 wrote to memory of 1528 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 85 PID 4332 wrote to memory of 1528 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 85 PID 4332 wrote to memory of 860 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 86 PID 4332 wrote to memory of 860 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 86 PID 4332 wrote to memory of 860 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 86 PID 4332 wrote to memory of 4064 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 87 PID 4332 wrote to memory of 4064 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 87 PID 4332 wrote to memory of 4064 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 87 PID 4332 wrote to memory of 4172 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 88 PID 4332 wrote to memory of 4172 4332 824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe 88 PID 3560 wrote to memory of 3920 3560 ncrscdttld.exe 90 PID 3560 wrote to memory of 3920 3560 ncrscdttld.exe 90 PID 3560 wrote to memory of 3920 3560 ncrscdttld.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\824784ab25d55d41cc738213250ea99c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\ncrscdttld.exencrscdttld.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\yhefxscu.exeC:\Windows\system32\yhefxscu.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3920
-
-
-
C:\Windows\SysWOW64\faufmyzfvbhopai.exefaufmyzfvbhopai.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1528
-
-
C:\Windows\SysWOW64\yhefxscu.exeyhefxscu.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:860
-
-
C:\Windows\SysWOW64\txktbcddhikgt.exetxktbcddhikgt.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4064
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4172
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5f0ed808d7394b416cabff10a568c0a40
SHA1cab2098ade339ec40f7c3c8de33de5ff8c6a2e5c
SHA256c9064362ee4e01bd8a7a1b96cab3cb59f36e77d771370004d2b8ef0c34f50e89
SHA5127dd0884eb07ad678efc08289eb0922c0e00c0fc733132494309f60a1011df664dd8d253661a7931aa408036e689dec8393f69287375e42c2534bc20701eeb3ce
-
Filesize
512KB
MD5a99d19079e79a9c4665c520dceaf6716
SHA140a6b55e81af553c465d075722f572e43f463d60
SHA256eed6a175f2e6c634c11c48ed6d1ab695afebe30d695f872381be552d1bc24bc1
SHA512ea70e081663b06226cad1ffddb17540120fe924bd1b970c8552af2663637c410f6259a3ff2deee26a752832b3f65b133a400b27346ad5161977055e75283e60b
-
Filesize
239B
MD52fae0fe44fb67ed515b21a2b6fba40e3
SHA1d39c4cb134c596851c157406149129a69844613b
SHA256bd528b67c4e7b5924426cb6edc6bd85896db3a43e596bc76d32632d33eccc2b1
SHA5129902e514810847d11b83ceb64209c7a363f3b482f5444474673988fa0729295d8612ae6aa0d81a09d9adeb958f7e0251b414ef808f82f279df504bc04a347087
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl
Filesize263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5b102da7262fa5da2a63df1bff772ff6a
SHA13658deeae16b760fef297a81926a5a0245ee9bc5
SHA256e72eb3b2bb8d3424b777c62de100a7012f22122da6cc550c291279cc864edc8a
SHA5123a4e817672cc9df7548ed06bf01a42f0698a8457630772bf2ec134ccd45ac8e92ebda6b25cc48bf67aa384caa4cf8cb71e4a4b788ef80b146551041fb372f9d7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD530d8720fa0b24a6a39cb77586f4ae44f
SHA1f6912f0d54f415872fd332046a3d029508a3e8da
SHA256ae6fecb608e79d7b047a0cf6f01a404f5ab94fe9781e083c950289d7a5ef0256
SHA51234e27dc788c6925170fe537ea72c6dc8218660240ea67804436160188abc37c09f226ec4251c5071e9692ee4c6866dc6b04bb49e8adae6ed8968b4253889b600
-
Filesize
512KB
MD58dc03d820202ec67d5836465df038cac
SHA10ce338c8cd466cc3edc5f0b5508f21305860db76
SHA256723f5317bac3acace556f48a9daa7ef581aef13ccf8208eae2829d6878fe5a7e
SHA512d1c2b49948886d7166497c8a6df415fc19ca8e45e855e5308e50e31f74767d55401c88ecc0c2870a835ba86e6b9033df54426a7176ff743a920413c94983289f
-
Filesize
512KB
MD53a0ca805621b9408386acf1831f2fa3e
SHA1b5e594a4fd431c5ce400cf74ce5ffd7ebab74ca7
SHA256972039b221211e998a82431d9c8d29b7005a42305c1b021c8b600e00b427d70d
SHA5125cf1d1a685a06dc09a9991fa262b2e52bb3ccc458e4c006c820c23833f32c21d01e2b1e418de7c746f5aae61de8acfcc8571436f87e066a33ed0c73fccd6b426
-
Filesize
512KB
MD5999160150c3b9437db280a7aba2fe230
SHA147961027a7e72a6de7aa8982e62f279dc9d12773
SHA2566b6e6c40f1f7cd887ae49a886291ab390cf9aa563a8579cdbdf9af3b7e130678
SHA512370fd412a7ad60ce44b92993d64984a7d2d15ee4037a7196bd713ea0ae284b0b2503d1c6a4666ed6344fdbc6fea9f445d8f2b0b40927a579eac838d937f95cc4
-
Filesize
512KB
MD52fd86210e9b9475e621c3b402358b992
SHA1503d30a44c547b00f59ce9976e234792b94cf238
SHA25634d515ce94e4a6835eb46f396ebb13ad3b973253993c2ef99c7edb102f1be121
SHA512e29bc6e45c8c940f51d00211c943b08f8bc2b56cb44a43cd3e9337998d44ba80e9284b68765dcaab8d423c4557ac1c8e24ef3d69a6ee5d4bc22d00de1f1090f8
-
Filesize
512KB
MD5c574bb8c299bb96ad673cc888dcec1a8
SHA1ac466e4616d37c0951d7bc424035d3515d8b085c
SHA256a64424ffdb2bad8cb6721d12806a19ff624f76f6209719b3b74209bf5d1398fc
SHA512fc259defb4901766e01dcf26586d771856ba43a282875cabcb4a827f3d2ccc2c68a1552dee93d36fed345daa0124d9f70fe8a005d23d752283e1d2b1f39ed836
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5321ed26206d763a7138b89dc05c532b6
SHA15c28e7d4d017d12686a816e6bec5d23bc9aa357e
SHA256e7afb0145bf07186aa880007ab64e670f6d4651808ccfcf2d85348fa118a0be0
SHA5127d70042adea95937605710fdfeca90cb2859fee58bde312124ce3c0c1c8e97ffe3995eb0756e0a72462e11f034d4b73d0fbc727509889f9764b6c6001e2f0edf
-
Filesize
512KB
MD5506ae4e3289adde1ae84bfb5234c2053
SHA177acedd2ee4aa2edbfbfb210b62c8b65e7b16184
SHA2560f0fd09a8da792fc2f1f9bbfb626f0d318eda5394af3ae02442bc8dbec70967a
SHA512b685c9aa04ca8bfeeec5e4d56d99044c6edc3d71e3fec5575ad0c40954f525179009e0bcd9d79a298c74fe7fb476f0b8eb549ebf10fb0615795c1dd1ccef1960
-
Filesize
512KB
MD5b78b6737e08d3454b3ca4c7b11fe4c8a
SHA11812b6fd8b6e0700f3c064f23fad0dab6b24e17f
SHA25611c1eb99f0264b77c238b2110ba8503f332344b42d58bd2a0c103be64396f706
SHA51220ef761f33c5c331a14007871ea5c61269a7e1bfd148fbfca9d40202e8771534f4c001109f3bae795f31433b3cc8f21f42d33474264230a84264de6b5e02f256