Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2024, 05:21
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe
-
Size
512KB
-
MD5
7f9d1ee58a41935047dd6e5127cf671f
-
SHA1
2a718220cf80fcd26ebd6ffdc81e81fa949e704b
-
SHA256
076fbed368d515a4f27a373038975d3120d2c1b6548e2ff1d8a0b3c72338db1e
-
SHA512
79df0a835b96c68a621bc0fe2ffe156a0e9c0d990d16687a579757b34934d8f59458bdc5197f0f4dd67c2e0817957d1f610ffc3214effbe0e2fe0b0bf78b8a02
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6/:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" usyumcwlwt.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" usyumcwlwt.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" usyumcwlwt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" usyumcwlwt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" usyumcwlwt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" usyumcwlwt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" usyumcwlwt.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" usyumcwlwt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1808 usyumcwlwt.exe 2368 fxlzdhxhywxxwlr.exe 2428 axqajvgj.exe 464 hvaqccwlnpwdn.exe 3180 axqajvgj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" usyumcwlwt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" usyumcwlwt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" usyumcwlwt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" usyumcwlwt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" usyumcwlwt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" usyumcwlwt.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qplkvuoy = "usyumcwlwt.exe" fxlzdhxhywxxwlr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nhfguwek = "fxlzdhxhywxxwlr.exe" fxlzdhxhywxxwlr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hvaqccwlnpwdn.exe" fxlzdhxhywxxwlr.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: axqajvgj.exe File opened (read-only) \??\a: usyumcwlwt.exe File opened (read-only) \??\h: axqajvgj.exe File opened (read-only) \??\k: axqajvgj.exe File opened (read-only) \??\o: axqajvgj.exe File opened (read-only) \??\x: axqajvgj.exe File opened (read-only) \??\b: usyumcwlwt.exe File opened (read-only) \??\r: usyumcwlwt.exe File opened (read-only) \??\x: usyumcwlwt.exe File opened (read-only) \??\a: axqajvgj.exe File opened (read-only) \??\v: axqajvgj.exe File opened (read-only) \??\j: axqajvgj.exe File opened (read-only) \??\v: usyumcwlwt.exe File opened (read-only) \??\g: axqajvgj.exe File opened (read-only) \??\l: axqajvgj.exe File opened (read-only) \??\e: axqajvgj.exe File opened (read-only) \??\i: axqajvgj.exe File opened (read-only) \??\m: usyumcwlwt.exe File opened (read-only) \??\y: usyumcwlwt.exe File opened (read-only) \??\b: axqajvgj.exe File opened (read-only) \??\h: axqajvgj.exe File opened (read-only) \??\z: usyumcwlwt.exe File opened (read-only) \??\u: axqajvgj.exe File opened (read-only) \??\v: axqajvgj.exe File opened (read-only) \??\y: axqajvgj.exe File opened (read-only) \??\h: usyumcwlwt.exe File opened (read-only) \??\l: usyumcwlwt.exe File opened (read-only) \??\u: usyumcwlwt.exe File opened (read-only) \??\g: usyumcwlwt.exe File opened (read-only) \??\p: axqajvgj.exe File opened (read-only) \??\b: axqajvgj.exe File opened (read-only) \??\s: axqajvgj.exe File opened (read-only) \??\t: axqajvgj.exe File opened (read-only) \??\k: usyumcwlwt.exe File opened (read-only) \??\n: usyumcwlwt.exe File opened (read-only) \??\q: axqajvgj.exe File opened (read-only) \??\i: usyumcwlwt.exe File opened (read-only) \??\s: usyumcwlwt.exe File opened (read-only) \??\j: axqajvgj.exe File opened (read-only) \??\m: axqajvgj.exe File opened (read-only) \??\n: axqajvgj.exe File opened (read-only) \??\z: axqajvgj.exe File opened (read-only) \??\j: usyumcwlwt.exe File opened (read-only) \??\e: axqajvgj.exe File opened (read-only) \??\t: axqajvgj.exe File opened (read-only) \??\a: axqajvgj.exe File opened (read-only) \??\o: usyumcwlwt.exe File opened (read-only) \??\t: usyumcwlwt.exe File opened (read-only) \??\n: axqajvgj.exe File opened (read-only) \??\g: axqajvgj.exe File opened (read-only) \??\p: axqajvgj.exe File opened (read-only) \??\m: axqajvgj.exe File opened (read-only) \??\l: axqajvgj.exe File opened (read-only) \??\r: axqajvgj.exe File opened (read-only) \??\x: axqajvgj.exe File opened (read-only) \??\y: axqajvgj.exe File opened (read-only) \??\z: axqajvgj.exe File opened (read-only) \??\o: axqajvgj.exe File opened (read-only) \??\p: usyumcwlwt.exe File opened (read-only) \??\u: axqajvgj.exe File opened (read-only) \??\k: axqajvgj.exe File opened (read-only) \??\w: axqajvgj.exe File opened (read-only) \??\e: usyumcwlwt.exe File opened (read-only) \??\r: axqajvgj.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" usyumcwlwt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" usyumcwlwt.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3216-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023496-5.dat autoit_exe behavioral2/files/0x0008000000023495-19.dat autoit_exe behavioral2/files/0x0007000000023497-24.dat autoit_exe behavioral2/files/0x0007000000023498-31.dat autoit_exe behavioral2/files/0x000500000001da42-69.dat autoit_exe behavioral2/files/0x000400000001da4d-72.dat autoit_exe behavioral2/files/0x0015000000022a33-572.dat autoit_exe behavioral2/files/0x0015000000022a33-580.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\axqajvgj.exe 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\axqajvgj.exe 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe File created C:\Windows\SysWOW64\hvaqccwlnpwdn.exe 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hvaqccwlnpwdn.exe 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe File created C:\Windows\SysWOW64\usyumcwlwt.exe 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe axqajvgj.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll usyumcwlwt.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe axqajvgj.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe axqajvgj.exe File created C:\Windows\SysWOW64\fxlzdhxhywxxwlr.exe 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fxlzdhxhywxxwlr.exe 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe axqajvgj.exe File opened for modification C:\Windows\SysWOW64\usyumcwlwt.exe 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe axqajvgj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe axqajvgj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe axqajvgj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe axqajvgj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe axqajvgj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe axqajvgj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe axqajvgj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe axqajvgj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal axqajvgj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal axqajvgj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe axqajvgj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal axqajvgj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe axqajvgj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe axqajvgj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal axqajvgj.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe axqajvgj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe axqajvgj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe axqajvgj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe axqajvgj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe axqajvgj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe axqajvgj.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe axqajvgj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe axqajvgj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe axqajvgj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe axqajvgj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe axqajvgj.exe File opened for modification C:\Windows\mydoc.rtf 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe axqajvgj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe axqajvgj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe axqajvgj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe axqajvgj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe axqajvgj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC67915E4DAC7B9C17FE3EDE234BB" 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" usyumcwlwt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" usyumcwlwt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACAF9BCF961F29383743B3281EC3999B3FD038842600248E2C942EC09A8" 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FCF8485882699142D75D7E92BDE1E13C584766406343D79A" 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" usyumcwlwt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" usyumcwlwt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat usyumcwlwt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh usyumcwlwt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" usyumcwlwt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf usyumcwlwt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" usyumcwlwt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32462D7B9D2082236A3176D377212CAB7CF265DD" 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB05B44EF39E353C4B9D43292D7CC" 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F068B5FE6821AAD109D1D28A0F9063" 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc usyumcwlwt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs usyumcwlwt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg usyumcwlwt.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3016 WINWORD.EXE 3016 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 2368 fxlzdhxhywxxwlr.exe 2368 fxlzdhxhywxxwlr.exe 2368 fxlzdhxhywxxwlr.exe 2368 fxlzdhxhywxxwlr.exe 2368 fxlzdhxhywxxwlr.exe 2368 fxlzdhxhywxxwlr.exe 2368 fxlzdhxhywxxwlr.exe 2368 fxlzdhxhywxxwlr.exe 1808 usyumcwlwt.exe 1808 usyumcwlwt.exe 1808 usyumcwlwt.exe 1808 usyumcwlwt.exe 1808 usyumcwlwt.exe 1808 usyumcwlwt.exe 1808 usyumcwlwt.exe 1808 usyumcwlwt.exe 1808 usyumcwlwt.exe 1808 usyumcwlwt.exe 464 hvaqccwlnpwdn.exe 2368 fxlzdhxhywxxwlr.exe 2368 fxlzdhxhywxxwlr.exe 464 hvaqccwlnpwdn.exe 464 hvaqccwlnpwdn.exe 464 hvaqccwlnpwdn.exe 464 hvaqccwlnpwdn.exe 464 hvaqccwlnpwdn.exe 464 hvaqccwlnpwdn.exe 464 hvaqccwlnpwdn.exe 464 hvaqccwlnpwdn.exe 464 hvaqccwlnpwdn.exe 464 hvaqccwlnpwdn.exe 464 hvaqccwlnpwdn.exe 2428 axqajvgj.exe 2428 axqajvgj.exe 2428 axqajvgj.exe 2428 axqajvgj.exe 2428 axqajvgj.exe 2428 axqajvgj.exe 2428 axqajvgj.exe 2428 axqajvgj.exe 2368 fxlzdhxhywxxwlr.exe 2368 fxlzdhxhywxxwlr.exe 3180 axqajvgj.exe 3180 axqajvgj.exe 3180 axqajvgj.exe 3180 axqajvgj.exe 3180 axqajvgj.exe 3180 axqajvgj.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 1808 usyumcwlwt.exe 1808 usyumcwlwt.exe 1808 usyumcwlwt.exe 2368 fxlzdhxhywxxwlr.exe 2368 fxlzdhxhywxxwlr.exe 2368 fxlzdhxhywxxwlr.exe 2428 axqajvgj.exe 464 hvaqccwlnpwdn.exe 2428 axqajvgj.exe 464 hvaqccwlnpwdn.exe 2428 axqajvgj.exe 464 hvaqccwlnpwdn.exe 3180 axqajvgj.exe 3180 axqajvgj.exe 3180 axqajvgj.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 1808 usyumcwlwt.exe 1808 usyumcwlwt.exe 1808 usyumcwlwt.exe 2368 fxlzdhxhywxxwlr.exe 2368 fxlzdhxhywxxwlr.exe 2368 fxlzdhxhywxxwlr.exe 2428 axqajvgj.exe 464 hvaqccwlnpwdn.exe 2428 axqajvgj.exe 464 hvaqccwlnpwdn.exe 2428 axqajvgj.exe 464 hvaqccwlnpwdn.exe 3180 axqajvgj.exe 3180 axqajvgj.exe 3180 axqajvgj.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3016 WINWORD.EXE 3016 WINWORD.EXE 3016 WINWORD.EXE 3016 WINWORD.EXE 3016 WINWORD.EXE 3016 WINWORD.EXE 3016 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3216 wrote to memory of 1808 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 82 PID 3216 wrote to memory of 1808 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 82 PID 3216 wrote to memory of 1808 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 82 PID 3216 wrote to memory of 2368 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 83 PID 3216 wrote to memory of 2368 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 83 PID 3216 wrote to memory of 2368 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 83 PID 3216 wrote to memory of 2428 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 84 PID 3216 wrote to memory of 2428 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 84 PID 3216 wrote to memory of 2428 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 84 PID 3216 wrote to memory of 464 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 85 PID 3216 wrote to memory of 464 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 85 PID 3216 wrote to memory of 464 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 85 PID 3216 wrote to memory of 3016 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 86 PID 3216 wrote to memory of 3016 3216 7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe 86 PID 1808 wrote to memory of 3180 1808 usyumcwlwt.exe 88 PID 1808 wrote to memory of 3180 1808 usyumcwlwt.exe 88 PID 1808 wrote to memory of 3180 1808 usyumcwlwt.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7f9d1ee58a41935047dd6e5127cf671f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\usyumcwlwt.exeusyumcwlwt.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\axqajvgj.exeC:\Windows\system32\axqajvgj.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3180
-
-
-
C:\Windows\SysWOW64\fxlzdhxhywxxwlr.exefxlzdhxhywxxwlr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2368
-
-
C:\Windows\SysWOW64\axqajvgj.exeaxqajvgj.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2428
-
-
C:\Windows\SysWOW64\hvaqccwlnpwdn.exehvaqccwlnpwdn.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:464
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3016
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5a70b6d2e3da6ba16162cef79331090a4
SHA1cffce86ba7c1e05068d932735416093840b61bd0
SHA256cdb726a422e2e22e17fa69430a283355c777aab026455168eb575c3e99483527
SHA51229c7854536bfb77a815e599ebb6d8077fa93a57d48f186688752f8777513d2a129a32441c40e1e7e5896d394f57839051bdc7ca38a2b0b1d0bbe2a5f42ef146d
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a55a1c333bb7907508b76fee9ee89479
SHA17f9135db321207856dadba78002e3bfe9a32af6a
SHA256f43fd91e7a375bd4a029f73587d6e9ec88c8a29da1efec87aa3bd70c9fae42a1
SHA512a5889a3b2d11948222f5207a0ef36f096f100921e936cfa1ef63e71a812ed18bd49c01e8ffb00ffad1afc254e17066d6641f3c0f7a930c6b64ea2b20bbda9645
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD594446d2dd012b9bb8e1a19ddaaeec373
SHA102361fc09409f60a57513611394288087bba6cb5
SHA256eb87f58bbc2677df517c98ddbd6eaff29b996f7d0128f65f70515c9b2ee55a1d
SHA5122b5e47e844f49f32e6d97fb7b7e2f18849de3cd447df2e54d266c5c5a62e7ecca546dfc71bee04661541202d5307fd12ceaf33ff795a32450247d0ebdada5066
-
Filesize
512KB
MD587adcb50faa86961913a1be70fec0f86
SHA16ba6f7e3142afed5a020cf4258cbfc12e4e6187d
SHA256839be0a3f168c732be3e7067c784e96d176987c775b1dbe568f84b2c22212b9f
SHA512c0ea516208afe77c8bd24bffa61b5ac15925f5f4866c86e36d5fd9f03cb19e367032ad9e379d83d4f62073bb2c0f3162f4b92b7a86d43a8f89752efb1748bffd
-
Filesize
512KB
MD56e71e96b1f7eb0906134f287d7d18542
SHA1d215e647c7874b8bfb8bc41638c3fd118f3bfc86
SHA256c6071a0f3ebfb5b4f2d9d78417567c91c9e81928f5ba42d897f4f00565b4ca12
SHA5124ca895c9f8eb638860650a5f5f97c0866e2d9361f374fd056b46d29076d20b1737f70e1d533c4550e3abe6ecb0632af54a2559631974b08e706ad0678095065b
-
Filesize
512KB
MD59d33fd23c5d55b01f97a6f4517e06630
SHA14dea4e4b21674dde9ef490f1cae561c6b5e13abd
SHA256aff5c7248394c6b135700e5e6f9aa670b146389db0615ce8a9df178be262b8e3
SHA51299b573a8f551afb4dd6dc9e25692dd72325d6f07f18da08de2facc7c1fc13bbc43bfaca3fbe9ec8f28a7dbd4e0431b0b403cf053bc5f65be99528fc40c480dcf
-
Filesize
512KB
MD55f36340cd97bf3748d2613e06eb21de1
SHA1af45f85174e8a2d535797ea48b51b0220351d737
SHA25681ffb22c5893399eef6e4eb324c9aacc83b2f8fcc1d503ec44a8131172f08fa7
SHA51247d09ee91386671c84e64df20554335858977d5723726013a33a23482bfd37c10fdae88aa8c58c76c8df518f5b855adfe0bea8b4c5f06d1a55125798b6669c89
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD577505a2266bb4d5f183e287b29ac7156
SHA19e2d2f672c79ff220972e8ad5cc3aa8a02a46a11
SHA256a1c8a216c02c803357eb240619f2b085994bb4044802db73870d08df14143c8d
SHA512413ee32dad3d1479bed373ded58d07f6082238efd6af5d1d74f6b19e9e8261bd9dc88d6f5e3863aba396a7be3d017726334b7e263951bffcd782e8bb9e540d22
-
Filesize
512KB
MD5fca2a135cf6db965cafe601f62ae5094
SHA13e2bede8542059a0efe632fc13fa860e58c91218
SHA2563f01b7bd33acd199fbf8ad71397712ae28f2bef8f205eac0e4a951f813b6d4e9
SHA512f2cb566f6adb95edf31d3b63cda73aa5760fd053ae4174809c576464ad881fffa0ad51b18d5e87b9ac3ada1b079ede23978a004d0a755f7eadc10b09407bc5a9
-
Filesize
512KB
MD52274467684b205a590db9a20353d8bc7
SHA1d780d261376bc6c8cd2174f0a43e35947980414d
SHA25607f783f2e65f914a03238aa5aec9a98cc2ed564502a9e6ce965b0ab082a67a75
SHA5129e6bd71fd327e505986e957a4f96f660ddace1458a0ec907d180be4b386be684b439beb6520218d418eed70b9fec14fe9c738a45795dec42bf40eeef1d370eb8