Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 05:27
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe
Resource
win7-20240215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe
-
Size
512KB
-
MD5
83299ddb0aeedab9ccb3bef2ef829144
-
SHA1
f70cc92c38ccc2209e94329d42eed600f6625c2a
-
SHA256
4eb8083af35bd37f03a3e1e8e1f69a5443e0266bc3530468028a6eaaf1f93ecc
-
SHA512
95017cc73fa450c1ea3d3515983ab54ea799d939fb1d7340f29b6ee0c177651401c85adaac4b22f9337c0cf566059a62fad70848c2ceb88d6ed87bf29c080703
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6v:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5S
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" yexggeuhhj.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yexggeuhhj.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yexggeuhhj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" yexggeuhhj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yexggeuhhj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yexggeuhhj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yexggeuhhj.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yexggeuhhj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 2572 yexggeuhhj.exe 1848 hvwpcddlfusmoou.exe 4196 sdehaiwj.exe 4168 vsdmfruzoaoth.exe 1140 sdehaiwj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yexggeuhhj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" yexggeuhhj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yexggeuhhj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" yexggeuhhj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yexggeuhhj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yexggeuhhj.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfleaabl = "yexggeuhhj.exe" hvwpcddlfusmoou.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msfnmirr = "hvwpcddlfusmoou.exe" hvwpcddlfusmoou.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vsdmfruzoaoth.exe" hvwpcddlfusmoou.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: sdehaiwj.exe File opened (read-only) \??\h: sdehaiwj.exe File opened (read-only) \??\s: sdehaiwj.exe File opened (read-only) \??\s: yexggeuhhj.exe File opened (read-only) \??\v: yexggeuhhj.exe File opened (read-only) \??\i: sdehaiwj.exe File opened (read-only) \??\l: sdehaiwj.exe File opened (read-only) \??\m: sdehaiwj.exe File opened (read-only) \??\o: yexggeuhhj.exe File opened (read-only) \??\u: yexggeuhhj.exe File opened (read-only) \??\h: sdehaiwj.exe File opened (read-only) \??\k: sdehaiwj.exe File opened (read-only) \??\q: sdehaiwj.exe File opened (read-only) \??\w: sdehaiwj.exe File opened (read-only) \??\g: yexggeuhhj.exe File opened (read-only) \??\j: yexggeuhhj.exe File opened (read-only) \??\p: sdehaiwj.exe File opened (read-only) \??\r: sdehaiwj.exe File opened (read-only) \??\l: yexggeuhhj.exe File opened (read-only) \??\n: yexggeuhhj.exe File opened (read-only) \??\b: sdehaiwj.exe File opened (read-only) \??\t: sdehaiwj.exe File opened (read-only) \??\p: yexggeuhhj.exe File opened (read-only) \??\i: sdehaiwj.exe File opened (read-only) \??\v: sdehaiwj.exe File opened (read-only) \??\y: sdehaiwj.exe File opened (read-only) \??\z: yexggeuhhj.exe File opened (read-only) \??\v: sdehaiwj.exe File opened (read-only) \??\x: sdehaiwj.exe File opened (read-only) \??\x: yexggeuhhj.exe File opened (read-only) \??\j: sdehaiwj.exe File opened (read-only) \??\g: sdehaiwj.exe File opened (read-only) \??\k: sdehaiwj.exe File opened (read-only) \??\p: sdehaiwj.exe File opened (read-only) \??\t: yexggeuhhj.exe File opened (read-only) \??\e: sdehaiwj.exe File opened (read-only) \??\a: sdehaiwj.exe File opened (read-only) \??\j: sdehaiwj.exe File opened (read-only) \??\e: sdehaiwj.exe File opened (read-only) \??\e: yexggeuhhj.exe File opened (read-only) \??\z: sdehaiwj.exe File opened (read-only) \??\o: sdehaiwj.exe File opened (read-only) \??\y: sdehaiwj.exe File opened (read-only) \??\b: yexggeuhhj.exe File opened (read-only) \??\r: yexggeuhhj.exe File opened (read-only) \??\b: sdehaiwj.exe File opened (read-only) \??\t: sdehaiwj.exe File opened (read-only) \??\n: sdehaiwj.exe File opened (read-only) \??\u: sdehaiwj.exe File opened (read-only) \??\i: yexggeuhhj.exe File opened (read-only) \??\q: yexggeuhhj.exe File opened (read-only) \??\y: yexggeuhhj.exe File opened (read-only) \??\a: sdehaiwj.exe File opened (read-only) \??\a: yexggeuhhj.exe File opened (read-only) \??\h: yexggeuhhj.exe File opened (read-only) \??\u: sdehaiwj.exe File opened (read-only) \??\l: sdehaiwj.exe File opened (read-only) \??\x: sdehaiwj.exe File opened (read-only) \??\m: sdehaiwj.exe File opened (read-only) \??\n: sdehaiwj.exe File opened (read-only) \??\o: sdehaiwj.exe File opened (read-only) \??\q: sdehaiwj.exe File opened (read-only) \??\s: sdehaiwj.exe File opened (read-only) \??\r: sdehaiwj.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" yexggeuhhj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" yexggeuhhj.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/400-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023421-5.dat autoit_exe behavioral2/files/0x000a00000002341d-18.dat autoit_exe behavioral2/files/0x0007000000023422-27.dat autoit_exe behavioral2/files/0x0007000000023423-32.dat autoit_exe behavioral2/files/0x000500000001d891-68.dat autoit_exe behavioral2/files/0x000500000001d9e5-73.dat autoit_exe behavioral2/files/0x001500000001e5a6-85.dat autoit_exe behavioral2/files/0x000200000001e6fc-104.dat autoit_exe behavioral2/files/0x000200000001e6fc-487.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\hvwpcddlfusmoou.exe 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sdehaiwj.exe 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe File created C:\Windows\SysWOW64\vsdmfruzoaoth.exe 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe File created C:\Windows\SysWOW64\yexggeuhhj.exe 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe File created C:\Windows\SysWOW64\sdehaiwj.exe 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe File created C:\Windows\SysWOW64\hvwpcddlfusmoou.exe 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sdehaiwj.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sdehaiwj.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll yexggeuhhj.exe File opened for modification C:\Windows\SysWOW64\vsdmfruzoaoth.exe 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sdehaiwj.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sdehaiwj.exe File opened for modification C:\Windows\SysWOW64\yexggeuhhj.exe 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal sdehaiwj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal sdehaiwj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sdehaiwj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sdehaiwj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sdehaiwj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sdehaiwj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sdehaiwj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal sdehaiwj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal sdehaiwj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sdehaiwj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sdehaiwj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sdehaiwj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sdehaiwj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sdehaiwj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sdehaiwj.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe sdehaiwj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe sdehaiwj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe sdehaiwj.exe File opened for modification C:\Windows\mydoc.rtf 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe sdehaiwj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe sdehaiwj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe sdehaiwj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sdehaiwj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sdehaiwj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sdehaiwj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe sdehaiwj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe sdehaiwj.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sdehaiwj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sdehaiwj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sdehaiwj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sdehaiwj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sdehaiwj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFCFF485F851C9145D65A7E90BCE7E13D594667316243D79C" 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F26BB3FE6821DDD208D0D68A7B9166" 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat yexggeuhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" yexggeuhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" yexggeuhhj.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDF9C9FE6AF29983083B45869F39E4B08903F14212034FE1B842EF09D6" 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC70B15E4DAB5B8C97C92ECE737CB" 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" yexggeuhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" yexggeuhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" yexggeuhhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh yexggeuhhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs yexggeuhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" yexggeuhhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg yexggeuhhj.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352C7D9D2183586A4476D577232CD67D8664AA" 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B12E479239EA53CFBAA23392D7CC" 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc yexggeuhhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf yexggeuhhj.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1864 WINWORD.EXE 1864 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 2572 yexggeuhhj.exe 2572 yexggeuhhj.exe 2572 yexggeuhhj.exe 2572 yexggeuhhj.exe 2572 yexggeuhhj.exe 2572 yexggeuhhj.exe 2572 yexggeuhhj.exe 2572 yexggeuhhj.exe 2572 yexggeuhhj.exe 2572 yexggeuhhj.exe 4168 vsdmfruzoaoth.exe 4168 vsdmfruzoaoth.exe 4168 vsdmfruzoaoth.exe 4168 vsdmfruzoaoth.exe 4168 vsdmfruzoaoth.exe 4168 vsdmfruzoaoth.exe 4168 vsdmfruzoaoth.exe 4168 vsdmfruzoaoth.exe 4168 vsdmfruzoaoth.exe 4168 vsdmfruzoaoth.exe 4168 vsdmfruzoaoth.exe 4168 vsdmfruzoaoth.exe 4196 sdehaiwj.exe 4196 sdehaiwj.exe 4196 sdehaiwj.exe 4196 sdehaiwj.exe 4196 sdehaiwj.exe 4196 sdehaiwj.exe 4196 sdehaiwj.exe 4196 sdehaiwj.exe 1848 hvwpcddlfusmoou.exe 1848 hvwpcddlfusmoou.exe 1848 hvwpcddlfusmoou.exe 1848 hvwpcddlfusmoou.exe 1848 hvwpcddlfusmoou.exe 1848 hvwpcddlfusmoou.exe 1848 hvwpcddlfusmoou.exe 1848 hvwpcddlfusmoou.exe 1848 hvwpcddlfusmoou.exe 1848 hvwpcddlfusmoou.exe 1140 sdehaiwj.exe 1140 sdehaiwj.exe 1140 sdehaiwj.exe 1140 sdehaiwj.exe 1140 sdehaiwj.exe 1140 sdehaiwj.exe 1140 sdehaiwj.exe 1140 sdehaiwj.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 2572 yexggeuhhj.exe 2572 yexggeuhhj.exe 2572 yexggeuhhj.exe 1848 hvwpcddlfusmoou.exe 1848 hvwpcddlfusmoou.exe 1848 hvwpcddlfusmoou.exe 4168 vsdmfruzoaoth.exe 4168 vsdmfruzoaoth.exe 4168 vsdmfruzoaoth.exe 4196 sdehaiwj.exe 4196 sdehaiwj.exe 4196 sdehaiwj.exe 1140 sdehaiwj.exe 1140 sdehaiwj.exe 1140 sdehaiwj.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 2572 yexggeuhhj.exe 2572 yexggeuhhj.exe 2572 yexggeuhhj.exe 1848 hvwpcddlfusmoou.exe 1848 hvwpcddlfusmoou.exe 1848 hvwpcddlfusmoou.exe 4168 vsdmfruzoaoth.exe 4168 vsdmfruzoaoth.exe 4168 vsdmfruzoaoth.exe 4196 sdehaiwj.exe 4196 sdehaiwj.exe 4196 sdehaiwj.exe 1140 sdehaiwj.exe 1140 sdehaiwj.exe 1140 sdehaiwj.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1864 WINWORD.EXE 1864 WINWORD.EXE 1864 WINWORD.EXE 1864 WINWORD.EXE 1864 WINWORD.EXE 1864 WINWORD.EXE 1864 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 400 wrote to memory of 2572 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 81 PID 400 wrote to memory of 2572 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 81 PID 400 wrote to memory of 2572 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 81 PID 400 wrote to memory of 1848 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 82 PID 400 wrote to memory of 1848 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 82 PID 400 wrote to memory of 1848 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 82 PID 400 wrote to memory of 4196 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 83 PID 400 wrote to memory of 4196 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 83 PID 400 wrote to memory of 4196 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 83 PID 400 wrote to memory of 4168 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 84 PID 400 wrote to memory of 4168 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 84 PID 400 wrote to memory of 4168 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 84 PID 2572 wrote to memory of 1140 2572 yexggeuhhj.exe 87 PID 2572 wrote to memory of 1140 2572 yexggeuhhj.exe 87 PID 2572 wrote to memory of 1140 2572 yexggeuhhj.exe 87 PID 400 wrote to memory of 1864 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 86 PID 400 wrote to memory of 1864 400 83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\83299ddb0aeedab9ccb3bef2ef829144_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\yexggeuhhj.exeyexggeuhhj.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\sdehaiwj.exeC:\Windows\system32\sdehaiwj.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1140
-
-
-
C:\Windows\SysWOW64\hvwpcddlfusmoou.exehvwpcddlfusmoou.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1848
-
-
C:\Windows\SysWOW64\sdehaiwj.exesdehaiwj.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4196
-
-
C:\Windows\SysWOW64\vsdmfruzoaoth.exevsdmfruzoaoth.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4168
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1864
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD594c8f35bc58d246ba4e1236944a9d082
SHA128645c167d6f73325b4304cb8daf33da9c456afd
SHA256230b8a82635051b9a8671d89eb8aac9d413c026532fd1a731cc30e3b1ccc9d94
SHA512370eb55e8817ab836a2878ded1bb8268c6312bb9f5e5928eb78edb077dae5f695b37e487a3edf7f1e656ee6b83d2cabc32da8f52c1a3878285f139376e06ce38
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
239B
MD5361ba5cdfe246f4303b0a1638e0daf43
SHA1eced7199b1af3c8e92209a68cb9a925ff3f369a3
SHA256507143acb38e64408d03a0dd98e16bd34ca557294c466ae8ec9c7c763eb3a2a5
SHA51281b9d124396d138717aea4dc71cec59426a3b65b47eaa0d13523adf030c5e3df9fa670ed48f7634d0301812d4b546dd43bc5bf863b58112570a2ab049bc7ab54
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5c3acd0353dd0081f8aa35d4d02bd7b18
SHA11077fd26a450ef0fe5270729d768a02166335b69
SHA256c41a7cb48c11841b98debe44ea2ac45a745183e0de84164463556fbb1dd7295a
SHA512f0e3f3ea3cf89ba727069aa7f7eccd0491a6b0470d0fc66d6b5e6dcac3c88446884032161913e5b1092a3ff519f124df063ac6d4c8f94a883ed0b79ee8bc326a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD51fcb7fe37128db9ec825d7a880d7afe3
SHA195ec91f756740d0591cf7d82ce09595cb3cc2552
SHA256d4b6e2ea43916f21bda634a6647de0e9f90a70a32adfd91b25d42e416942b921
SHA51285e5a67da45a3eaade68c0af4e0ad82a3e6520f74bf5c8991d2c8a0657e2e8cf38167376e5b3510634ad7b8286e00ceb6a42f130ef9aa92213fc38090eb161d3
-
Filesize
512KB
MD5801a7b65597bced081bec1f2af528d24
SHA1feb240ff37486a2177400d58c9e5f3d09798a279
SHA256b544484a8157660f85c0599d0c570d2118de6cd4b6251eda11fa17a1428e4c44
SHA5121a08c1e0c74e21242cbf5f3d681d32b13152dced498a3fff4f62fc3aa44136d61dd4d41f41cae085bbda57e29d946ab10adc8b2ed09e925329d44b0f98548d75
-
Filesize
512KB
MD5e3f07379f1e4d0ac3f6a1608c01f34e0
SHA1a8dd581373595c30c712dd7d2f4ab5c7221c9194
SHA2563335dece352da194e143bd2e382efb4dc609c94c5e8ef6414eded08baaedfb9b
SHA512c61ff8e6b1e40b70e932e6121a9eaa724f33977c0e89d5bde34e05df89e8282df43afa4b430807dac523ee05f03e18f8e6d31e0ce1d811d8f2017899055fb0c6
-
Filesize
512KB
MD5c94a81a08478e732bd20515f7262efdd
SHA11d462391618b8385cb63324ec82a6e53b4d3ea63
SHA256e1e69a437a33a7386804e04ac4d4c73fd0ba70e506d88f2a60f8edd3ea37bca9
SHA512694058e87060dbb8c1430c0f12b3983956037cdf7bc681f6910fb050233aa63009032189735c9967e4db45f1a29d6f6b5a2b56ef87f78b7707cd92f726578947
-
Filesize
512KB
MD5ac5fff52b76f86460317fa746019d6b2
SHA11e339e2b29b8810eef22036ce44786a83c1a8fce
SHA256c4512f854045f50b949e51743a7c036e14680f2f0644be65f0db6ad9cdc1202f
SHA51225c25a98d687d4d3236702378ae304f2d41d6f86fbfb328f948683471eb16a69b8163a5ace9c39f698a6accfd6d7cb8ce1a381b5a82cfbcb53128af56c932906
-
Filesize
512KB
MD525197fa84a63daff9e3279cfc7f0247b
SHA19d6bf701bc55f39513b1ace7b6d46bfc897efde3
SHA2568b05823532cdb75aec4baeadcf8c9b0472030c828196baf1967fd43ad6583a5f
SHA512e6b96841a628b58cf9f38c15356e5b7cf5ae93641a0dd0e5263a11ec0cf30a62f43eb3ac5e5f530bcb9106278f3ac9bd422464e26378653b0f8b2bb7d433d9d1
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5d2aa11e591d57a74f0e551007f0d0b77
SHA14932bf69a93bc86cff7d779e4dd2859d760b567d
SHA256cae1ce0d4a38ff280b37cbc9555fd1b82cdbd7958d73ccbd3a667785d397b5ae
SHA5123c727d93c673befa9b71bae9d66f0c6f64cad4b1ddd655626076410bf23b89813ce90ac207080964fa2b2bc8896c0f6f5be998b924e0f382cf40631e9c7fa831
-
Filesize
512KB
MD5cf6a18837c4c26acee0ba5b50cc5b378
SHA1ddbf8337ccc8fc4afcabd99ffdfab5014ca1352c
SHA256a7a15ace51da6755012d578154a4bf9041a0f53af71e2c2bca40189dcd5029ab
SHA512cdab0f6bb23a399abf9c1a75d2b30e1d36904c89e15a02098b25258495cbb46612256900e70c5d274091a95a25aa46ee5e697250bbc6118c13bd8060d2f45763
-
Filesize
512KB
MD5e68e8ede78c011887298439056454991
SHA1ca925c5afcee7f7f72afaa39beb53be20c4ebe4a
SHA256d9c027392a458e3207b301adffae88489f319bae4e8bd0136ed6d34e45157746
SHA512df64c0b7f9ba040746d34329094381dcd23e759e8242ed02ae3d9d369f3fefc92999b89f3c3adc713ec82c22666f0e995fdb78a92a61528d19eb82830d8a3e68