Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 05:01
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe
Resource
win7-20240220-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe
-
Size
512KB
-
MD5
8cf5981ebcd114872f1f286b84158d74
-
SHA1
cda802fcfd5bb56d56abc157d07d1d5c3e9a5508
-
SHA256
33290ae0daab6d0c855f3c4b820ff1f9ee3a825eb01b94e2750effe2bd3f2863
-
SHA512
e8f366244d9b02cb196d812f49ac12fe44adfadec6d458cf7848729c0e1c6c17b8de0ada48927779b3b67c4b45934738308dd667898343a3476564609d3f7181
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6w:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5v
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tatoechiwy.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tatoechiwy.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tatoechiwy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tatoechiwy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tatoechiwy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tatoechiwy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tatoechiwy.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tatoechiwy.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1724 tatoechiwy.exe 4948 svxuzhus.exe 4440 hefvthkyrqjuftz.exe 4044 obkkbanzzzsjg.exe 2132 svxuzhus.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tatoechiwy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tatoechiwy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tatoechiwy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tatoechiwy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tatoechiwy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tatoechiwy.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fxldujkj = "tatoechiwy.exe" hefvthkyrqjuftz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vauqdywr = "hefvthkyrqjuftz.exe" hefvthkyrqjuftz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "obkkbanzzzsjg.exe" hefvthkyrqjuftz.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: svxuzhus.exe File opened (read-only) \??\p: svxuzhus.exe File opened (read-only) \??\k: svxuzhus.exe File opened (read-only) \??\m: svxuzhus.exe File opened (read-only) \??\i: tatoechiwy.exe File opened (read-only) \??\b: svxuzhus.exe File opened (read-only) \??\a: tatoechiwy.exe File opened (read-only) \??\r: tatoechiwy.exe File opened (read-only) \??\w: svxuzhus.exe File opened (read-only) \??\e: svxuzhus.exe File opened (read-only) \??\l: tatoechiwy.exe File opened (read-only) \??\a: svxuzhus.exe File opened (read-only) \??\e: svxuzhus.exe File opened (read-only) \??\h: svxuzhus.exe File opened (read-only) \??\a: svxuzhus.exe File opened (read-only) \??\i: svxuzhus.exe File opened (read-only) \??\p: tatoechiwy.exe File opened (read-only) \??\q: tatoechiwy.exe File opened (read-only) \??\r: svxuzhus.exe File opened (read-only) \??\v: svxuzhus.exe File opened (read-only) \??\y: svxuzhus.exe File opened (read-only) \??\k: tatoechiwy.exe File opened (read-only) \??\l: svxuzhus.exe File opened (read-only) \??\q: svxuzhus.exe File opened (read-only) \??\h: tatoechiwy.exe File opened (read-only) \??\n: tatoechiwy.exe File opened (read-only) \??\w: tatoechiwy.exe File opened (read-only) \??\x: tatoechiwy.exe File opened (read-only) \??\o: svxuzhus.exe File opened (read-only) \??\b: svxuzhus.exe File opened (read-only) \??\t: svxuzhus.exe File opened (read-only) \??\u: svxuzhus.exe File opened (read-only) \??\p: svxuzhus.exe File opened (read-only) \??\t: tatoechiwy.exe File opened (read-only) \??\y: tatoechiwy.exe File opened (read-only) \??\m: svxuzhus.exe File opened (read-only) \??\g: svxuzhus.exe File opened (read-only) \??\o: svxuzhus.exe File opened (read-only) \??\w: svxuzhus.exe File opened (read-only) \??\b: tatoechiwy.exe File opened (read-only) \??\q: svxuzhus.exe File opened (read-only) \??\x: svxuzhus.exe File opened (read-only) \??\g: tatoechiwy.exe File opened (read-only) \??\j: svxuzhus.exe File opened (read-only) \??\x: svxuzhus.exe File opened (read-only) \??\l: svxuzhus.exe File opened (read-only) \??\t: svxuzhus.exe File opened (read-only) \??\u: svxuzhus.exe File opened (read-only) \??\z: svxuzhus.exe File opened (read-only) \??\o: tatoechiwy.exe File opened (read-only) \??\u: tatoechiwy.exe File opened (read-only) \??\g: svxuzhus.exe File opened (read-only) \??\n: svxuzhus.exe File opened (read-only) \??\j: svxuzhus.exe File opened (read-only) \??\e: tatoechiwy.exe File opened (read-only) \??\j: tatoechiwy.exe File opened (read-only) \??\s: tatoechiwy.exe File opened (read-only) \??\z: tatoechiwy.exe File opened (read-only) \??\k: svxuzhus.exe File opened (read-only) \??\h: svxuzhus.exe File opened (read-only) \??\y: svxuzhus.exe File opened (read-only) \??\z: svxuzhus.exe File opened (read-only) \??\n: svxuzhus.exe File opened (read-only) \??\s: svxuzhus.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tatoechiwy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tatoechiwy.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4016-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000233f3-5.dat autoit_exe behavioral2/files/0x000700000002328e-18.dat autoit_exe behavioral2/files/0x00070000000233f4-24.dat autoit_exe behavioral2/files/0x00070000000233f5-32.dat autoit_exe behavioral2/files/0x00080000000233e5-69.dat autoit_exe behavioral2/files/0x00020000000229c8-63.dat autoit_exe behavioral2/files/0x0003000000022974-78.dat autoit_exe behavioral2/files/0x0007000000023410-93.dat autoit_exe behavioral2/files/0x0007000000023410-539.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\svxuzhus.exe 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\svxuzhus.exe 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe File created C:\Windows\SysWOW64\obkkbanzzzsjg.exe 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\obkkbanzzzsjg.exe 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tatoechiwy.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe svxuzhus.exe File created C:\Windows\SysWOW64\tatoechiwy.exe 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tatoechiwy.exe 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe File created C:\Windows\SysWOW64\hefvthkyrqjuftz.exe 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hefvthkyrqjuftz.exe 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe svxuzhus.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe svxuzhus.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe svxuzhus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal svxuzhus.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe svxuzhus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe svxuzhus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe svxuzhus.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe svxuzhus.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe svxuzhus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal svxuzhus.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe svxuzhus.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe svxuzhus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe svxuzhus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal svxuzhus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal svxuzhus.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe svxuzhus.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe svxuzhus.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe svxuzhus.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe svxuzhus.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe svxuzhus.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe svxuzhus.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe svxuzhus.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe svxuzhus.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe svxuzhus.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe svxuzhus.exe File opened for modification C:\Windows\mydoc.rtf 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe svxuzhus.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe svxuzhus.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe svxuzhus.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe svxuzhus.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe svxuzhus.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe svxuzhus.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe svxuzhus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" tatoechiwy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472C799D2D83506A4276D3702E2CD77CF265AB" 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDFAB1F96BF2E484743B3286E93E98B38D038A4362023CE1C8459D09A0" 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B02C44E6389852C4BAA133E9D4C5" 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC60914E7DBC5B8C07F92ECE037CB" 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh tatoechiwy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc tatoechiwy.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" tatoechiwy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf tatoechiwy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tatoechiwy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg tatoechiwy.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFFFC482B851A9141D75F7DE2BCE7E641583666446334D7EA" 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat tatoechiwy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" tatoechiwy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F768C4FE6821DCD10CD0A48A0B9160" 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" tatoechiwy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" tatoechiwy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs tatoechiwy.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 912 WINWORD.EXE 912 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 1724 tatoechiwy.exe 1724 tatoechiwy.exe 1724 tatoechiwy.exe 1724 tatoechiwy.exe 1724 tatoechiwy.exe 1724 tatoechiwy.exe 1724 tatoechiwy.exe 1724 tatoechiwy.exe 1724 tatoechiwy.exe 1724 tatoechiwy.exe 4948 svxuzhus.exe 4948 svxuzhus.exe 4948 svxuzhus.exe 4948 svxuzhus.exe 4948 svxuzhus.exe 4948 svxuzhus.exe 4948 svxuzhus.exe 4948 svxuzhus.exe 4044 obkkbanzzzsjg.exe 4044 obkkbanzzzsjg.exe 4044 obkkbanzzzsjg.exe 4044 obkkbanzzzsjg.exe 4044 obkkbanzzzsjg.exe 4044 obkkbanzzzsjg.exe 4044 obkkbanzzzsjg.exe 4044 obkkbanzzzsjg.exe 4044 obkkbanzzzsjg.exe 4044 obkkbanzzzsjg.exe 4044 obkkbanzzzsjg.exe 4044 obkkbanzzzsjg.exe 4440 hefvthkyrqjuftz.exe 4440 hefvthkyrqjuftz.exe 4440 hefvthkyrqjuftz.exe 4440 hefvthkyrqjuftz.exe 4440 hefvthkyrqjuftz.exe 4440 hefvthkyrqjuftz.exe 4440 hefvthkyrqjuftz.exe 4440 hefvthkyrqjuftz.exe 4440 hefvthkyrqjuftz.exe 4440 hefvthkyrqjuftz.exe 2132 svxuzhus.exe 2132 svxuzhus.exe 2132 svxuzhus.exe 2132 svxuzhus.exe 2132 svxuzhus.exe 2132 svxuzhus.exe 2132 svxuzhus.exe 2132 svxuzhus.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 1724 tatoechiwy.exe 1724 tatoechiwy.exe 1724 tatoechiwy.exe 4948 svxuzhus.exe 4948 svxuzhus.exe 4948 svxuzhus.exe 4044 obkkbanzzzsjg.exe 4440 hefvthkyrqjuftz.exe 4044 obkkbanzzzsjg.exe 4440 hefvthkyrqjuftz.exe 4044 obkkbanzzzsjg.exe 4440 hefvthkyrqjuftz.exe 2132 svxuzhus.exe 2132 svxuzhus.exe 2132 svxuzhus.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 1724 tatoechiwy.exe 1724 tatoechiwy.exe 1724 tatoechiwy.exe 4948 svxuzhus.exe 4948 svxuzhus.exe 4948 svxuzhus.exe 4044 obkkbanzzzsjg.exe 4440 hefvthkyrqjuftz.exe 4044 obkkbanzzzsjg.exe 4440 hefvthkyrqjuftz.exe 4044 obkkbanzzzsjg.exe 4440 hefvthkyrqjuftz.exe 2132 svxuzhus.exe 2132 svxuzhus.exe 2132 svxuzhus.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4016 wrote to memory of 1724 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 83 PID 4016 wrote to memory of 1724 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 83 PID 4016 wrote to memory of 1724 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 83 PID 4016 wrote to memory of 4440 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 84 PID 4016 wrote to memory of 4440 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 84 PID 4016 wrote to memory of 4440 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 84 PID 4016 wrote to memory of 4948 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 85 PID 4016 wrote to memory of 4948 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 85 PID 4016 wrote to memory of 4948 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 85 PID 4016 wrote to memory of 4044 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 86 PID 4016 wrote to memory of 4044 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 86 PID 4016 wrote to memory of 4044 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 86 PID 1724 wrote to memory of 2132 1724 tatoechiwy.exe 88 PID 1724 wrote to memory of 2132 1724 tatoechiwy.exe 88 PID 1724 wrote to memory of 2132 1724 tatoechiwy.exe 88 PID 4016 wrote to memory of 912 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 87 PID 4016 wrote to memory of 912 4016 8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8cf5981ebcd114872f1f286b84158d74_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\tatoechiwy.exetatoechiwy.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\svxuzhus.exeC:\Windows\system32\svxuzhus.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2132
-
-
-
C:\Windows\SysWOW64\hefvthkyrqjuftz.exehefvthkyrqjuftz.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4440
-
-
C:\Windows\SysWOW64\svxuzhus.exesvxuzhus.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4948
-
-
C:\Windows\SysWOW64\obkkbanzzzsjg.exeobkkbanzzzsjg.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4044
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:912
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD548ee6d8917ea5a93dad8d5e01da3a552
SHA131582903ceae8b66c3ed98077612f6a4debd35dd
SHA256db55ca6a31512de7eb1ffa9254f1dbc79c5e9b87c04aff7b1734cffd822cbbb2
SHA512ccc0eda16367a359bc4ef733ee5a265913fd91efaff44373b955977a2393699f82f1c903f374f2a55d3888942dc73863057ee71e864f89f8b22f15157ca7bae8
-
Filesize
512KB
MD5c84ec2b5c55cb94894e62d06f349230d
SHA148ed218426fc695b21f608cb5894071198d1d437
SHA256bae9a858429dcef0ae992d4e445980fe6d21c2f9c06f7e509895a2847eb04b5c
SHA512c42b6a68fba74557e96aa500a85436f597f4c44cdd5c7f784b37e820d294b1fcd3b0000d31019068be34648f9f7b0f4ea42b196485d9d23f9627c13a881d16b6
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
512KB
MD5598925c4c8684dda4d8f3bfda1d334f4
SHA131e661944cd5cdb385f1399bd1f38a63a047f0d6
SHA256941936e31dc7c8d742a5ddf77ea851c1ad0ab5215ee5610944ab95033f098da6
SHA512b1f7a6cb1f66d324ffd8eb59b84ba14d0ea7c8ab93470ea5c579eee5d549687a1dd6bcd7f2156ac83f07395c0ebfbd7b8bf344a4ff73a5c0893bcaacd8990bbb
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD550813ef9c4fdeb06116db944bf321b71
SHA1d29a7300e7de7edff87c9c6d3f5be232b68ff4ae
SHA256eaa0e7fc771b1754f99b8c65d47418692fcba296a3c3b4a9faba7ec1da7171c8
SHA512c446d8b7827338ba0eb2f64488e0ad490b71c6dfd0001701fec63ee2160ba7a0dce52a3e86d60a40283fbc18b4b61a53dd4e7089fc0db376474fa43c2dcefcca
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD59c0958734758d292a076119e2dba6ff0
SHA144779861e7c250c5484cc6f0f992e7009a3a0094
SHA25628e8bdc4dbe2641fa3df574e1ba87c9cae2a2dbc557bf7cffe118df3580fb20a
SHA5127cfe996d07ed87432dd45017650b4a30e1f2728ad2232582832434d5dbdca71b627f7962207b09212e68f10e91a76343cad40746599a00cb4ef58be63ca48ace
-
Filesize
512KB
MD511da409ac0ddd3c7eab43d9000127faa
SHA18190a358c7bc5ab99399c5b707d1987e459e9dfc
SHA256d8f4baffbe2589c224047901edd6d088339870f85997f66b3a229c2da707143b
SHA512a7596beae745ca8ee6dd945c76ba9fcccdb1b489f1150658d0cb7b0d37d4b88c96b3357f61b627502216fd6c55785835b11772769515ab2100769c31a7d8adeb
-
Filesize
512KB
MD532e80d5123495766ffb579f10991c11e
SHA1ee29daeb689d6a0c2ac547bb95d6af1d1a02dd3a
SHA256d4a2de9b93b08caf9e98ca6369ef5ed741d55131c66c9d7deaaa299dd874d177
SHA512c11c2ca3c58586103a79c5517ce22d274cbd72152de3943b60c8f28effb085b2bd9b0429ff8b8c45ef1f9568223c28caaa353f83fe0a7dc98971debdf79142cc
-
Filesize
512KB
MD57757f1504454633f454f3dd6f2543aac
SHA1de6544df0760500256bac4042b92c67355d16ce7
SHA2565a1d8288d1ca949cd2f0733d212262c652bb48b43bc89804541d69f7db965c26
SHA51265b399d62a727e7cc297068499c814e87686e3b14904324ff819e3744bec3799e395b586ecf377cc0be87d2526d322fb55d58abcc5f8f1ff4f5849f1066d56c0
-
Filesize
512KB
MD51197386f189c22908e164b4e8b6fd7ad
SHA1f14fe03c9fa65e6966cf4bf2b99735e56a524208
SHA256528617b0fca38c27744cd180b39a2c469fba5198b053083c32dd326b624ecec7
SHA51246e986116410bc0ba95d9fceb1f3558d83f14ff05785a8d07c34c285df7ba69a1c06ba11486ff380d56aa65e3b0f777aa3f44285e18f2501300fd83a990abf54
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD57db1a77f6d1178ced29fd79839d6733a
SHA10b9517dee648d921a617d31c96c0a348e629a302
SHA256905845b832879cbf4cc8f6531e8ee20038f2811ff92aa662163f16494dfc5def
SHA51249b870991b153c8d07cbe5e35d9432ef78d8c43436114521de705ecd3afa3bf65ef581fe24603e141d85b861c4c2190d5511ac3b4301773ec68974bf9800d9a5
-
Filesize
512KB
MD5d0a3697a558d1db42fbba623cc8f71f3
SHA1cc5549e2c91185b30230dac36d189640b1a3a5e6
SHA256dbf08cc5060b0f8e1c3cb0bdf40d63dcfbb5911497559ef00fea9d6547ac8efd
SHA512a3edce1b45d4f00bc5b9e0eab2968d16fb4f81d5d2f253ff1266a8fac04a9bf3f4dd6ed440f18822efa7a99354076c5d108a4e203d9e2572cba804f5d8371d14