Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2024, 15:34
Static task
static1
Behavioral task
behavioral1
Sample
9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe
-
Size
512KB
-
MD5
9882a7793f1df74d04833e184e918ee8
-
SHA1
0229a6047afd94d9f430aabe34819d5b0503875d
-
SHA256
7ebcad2de5fdb7161d1cb60f8503bc43a5cdebc06716e1a639fbddd283c7372c
-
SHA512
e05e0dc8d8716f54b3271da83677c2296a206e6b807b928506906a3919c812ccd8674df216b118629012b6be91e16cde82269b6e82ef07e64ab98341ab065cb3
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6i:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5V
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" likqxnowcj.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" likqxnowcj.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" likqxnowcj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" likqxnowcj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" likqxnowcj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" likqxnowcj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" likqxnowcj.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" likqxnowcj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 2644 likqxnowcj.exe 1432 qdhkdqcyvnllxqk.exe 1340 cpupqzjo.exe 2680 qavfrebohtubm.exe 4016 cpupqzjo.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" likqxnowcj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" likqxnowcj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" likqxnowcj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" likqxnowcj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" likqxnowcj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" likqxnowcj.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qavfrebohtubm.exe" qdhkdqcyvnllxqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aspjkeyy = "likqxnowcj.exe" qdhkdqcyvnllxqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rlnxuqvx = "qdhkdqcyvnllxqk.exe" qdhkdqcyvnllxqk.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\y: cpupqzjo.exe File opened (read-only) \??\l: likqxnowcj.exe File opened (read-only) \??\t: cpupqzjo.exe File opened (read-only) \??\k: cpupqzjo.exe File opened (read-only) \??\m: cpupqzjo.exe File opened (read-only) \??\t: cpupqzjo.exe File opened (read-only) \??\j: cpupqzjo.exe File opened (read-only) \??\x: cpupqzjo.exe File opened (read-only) \??\b: likqxnowcj.exe File opened (read-only) \??\l: cpupqzjo.exe File opened (read-only) \??\i: cpupqzjo.exe File opened (read-only) \??\k: likqxnowcj.exe File opened (read-only) \??\w: likqxnowcj.exe File opened (read-only) \??\n: cpupqzjo.exe File opened (read-only) \??\i: likqxnowcj.exe File opened (read-only) \??\n: likqxnowcj.exe File opened (read-only) \??\y: likqxnowcj.exe File opened (read-only) \??\b: cpupqzjo.exe File opened (read-only) \??\g: cpupqzjo.exe File opened (read-only) \??\p: cpupqzjo.exe File opened (read-only) \??\e: likqxnowcj.exe File opened (read-only) \??\q: cpupqzjo.exe File opened (read-only) \??\g: likqxnowcj.exe File opened (read-only) \??\a: cpupqzjo.exe File opened (read-only) \??\e: cpupqzjo.exe File opened (read-only) \??\j: likqxnowcj.exe File opened (read-only) \??\x: cpupqzjo.exe File opened (read-only) \??\u: cpupqzjo.exe File opened (read-only) \??\o: likqxnowcj.exe File opened (read-only) \??\s: cpupqzjo.exe File opened (read-only) \??\u: cpupqzjo.exe File opened (read-only) \??\r: likqxnowcj.exe File opened (read-only) \??\h: cpupqzjo.exe File opened (read-only) \??\z: cpupqzjo.exe File opened (read-only) \??\b: cpupqzjo.exe File opened (read-only) \??\q: likqxnowcj.exe File opened (read-only) \??\x: likqxnowcj.exe File opened (read-only) \??\z: likqxnowcj.exe File opened (read-only) \??\l: cpupqzjo.exe File opened (read-only) \??\o: cpupqzjo.exe File opened (read-only) \??\u: likqxnowcj.exe File opened (read-only) \??\k: cpupqzjo.exe File opened (read-only) \??\v: cpupqzjo.exe File opened (read-only) \??\w: cpupqzjo.exe File opened (read-only) \??\q: cpupqzjo.exe File opened (read-only) \??\s: cpupqzjo.exe File opened (read-only) \??\z: cpupqzjo.exe File opened (read-only) \??\h: likqxnowcj.exe File opened (read-only) \??\p: likqxnowcj.exe File opened (read-only) \??\j: cpupqzjo.exe File opened (read-only) \??\n: cpupqzjo.exe File opened (read-only) \??\v: cpupqzjo.exe File opened (read-only) \??\e: cpupqzjo.exe File opened (read-only) \??\h: cpupqzjo.exe File opened (read-only) \??\w: cpupqzjo.exe File opened (read-only) \??\m: likqxnowcj.exe File opened (read-only) \??\v: likqxnowcj.exe File opened (read-only) \??\i: cpupqzjo.exe File opened (read-only) \??\m: cpupqzjo.exe File opened (read-only) \??\o: cpupqzjo.exe File opened (read-only) \??\r: cpupqzjo.exe File opened (read-only) \??\y: cpupqzjo.exe File opened (read-only) \??\a: cpupqzjo.exe File opened (read-only) \??\r: cpupqzjo.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" likqxnowcj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" likqxnowcj.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2240-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000800000002325a-5.dat autoit_exe behavioral2/files/0x001100000002324d-18.dat autoit_exe behavioral2/files/0x000800000002325c-26.dat autoit_exe behavioral2/files/0x000700000002325d-31.dat autoit_exe behavioral2/files/0x0003000000000711-66.dat autoit_exe behavioral2/files/0x0003000000000717-72.dat autoit_exe behavioral2/files/0x000200000001eb0e-94.dat autoit_exe behavioral2/files/0x000200000001eb0e-98.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\qavfrebohtubm.exe 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cpupqzjo.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cpupqzjo.exe File created C:\Windows\SysWOW64\likqxnowcj.exe 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\likqxnowcj.exe 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe File created C:\Windows\SysWOW64\cpupqzjo.exe 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cpupqzjo.exe 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qavfrebohtubm.exe 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll likqxnowcj.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cpupqzjo.exe File created C:\Windows\SysWOW64\qdhkdqcyvnllxqk.exe 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qdhkdqcyvnllxqk.exe 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cpupqzjo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal cpupqzjo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal cpupqzjo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cpupqzjo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cpupqzjo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal cpupqzjo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cpupqzjo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cpupqzjo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cpupqzjo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cpupqzjo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cpupqzjo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cpupqzjo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cpupqzjo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal cpupqzjo.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cpupqzjo.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cpupqzjo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cpupqzjo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cpupqzjo.exe File opened for modification C:\Windows\mydoc.rtf 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cpupqzjo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cpupqzjo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cpupqzjo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cpupqzjo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc likqxnowcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf likqxnowcj.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB4FAB0F965F19283743A4086983E98B38902FA4364034CE2BD459A08A1" 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B02A449238E252CFB9A7329FD7C9" 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" likqxnowcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" likqxnowcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat likqxnowcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh likqxnowcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" likqxnowcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" likqxnowcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs likqxnowcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" likqxnowcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F068B6FF1F21A9D27BD0D28B099063" 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C67D15ECDBB3B9C17FE5ECE337BA" 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" likqxnowcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg likqxnowcj.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334F2C089C2282276D3476A570522DD97DF664AA" 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F89FFF94F2685689041D75B7D97BDE2E143584366426345D799" 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1656 WINWORD.EXE 1656 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 1432 qdhkdqcyvnllxqk.exe 1432 qdhkdqcyvnllxqk.exe 1432 qdhkdqcyvnllxqk.exe 1432 qdhkdqcyvnllxqk.exe 1432 qdhkdqcyvnllxqk.exe 1432 qdhkdqcyvnllxqk.exe 1432 qdhkdqcyvnllxqk.exe 1432 qdhkdqcyvnllxqk.exe 1432 qdhkdqcyvnllxqk.exe 1432 qdhkdqcyvnllxqk.exe 2644 likqxnowcj.exe 2644 likqxnowcj.exe 2644 likqxnowcj.exe 2644 likqxnowcj.exe 2644 likqxnowcj.exe 2644 likqxnowcj.exe 2644 likqxnowcj.exe 2644 likqxnowcj.exe 2644 likqxnowcj.exe 2644 likqxnowcj.exe 2680 qavfrebohtubm.exe 2680 qavfrebohtubm.exe 2680 qavfrebohtubm.exe 2680 qavfrebohtubm.exe 2680 qavfrebohtubm.exe 2680 qavfrebohtubm.exe 2680 qavfrebohtubm.exe 2680 qavfrebohtubm.exe 2680 qavfrebohtubm.exe 2680 qavfrebohtubm.exe 2680 qavfrebohtubm.exe 2680 qavfrebohtubm.exe 1340 cpupqzjo.exe 1340 cpupqzjo.exe 1340 cpupqzjo.exe 1340 cpupqzjo.exe 1340 cpupqzjo.exe 1340 cpupqzjo.exe 1340 cpupqzjo.exe 1340 cpupqzjo.exe 1432 qdhkdqcyvnllxqk.exe 1432 qdhkdqcyvnllxqk.exe 4016 cpupqzjo.exe 4016 cpupqzjo.exe 4016 cpupqzjo.exe 4016 cpupqzjo.exe 4016 cpupqzjo.exe 4016 cpupqzjo.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 1432 qdhkdqcyvnllxqk.exe 1432 qdhkdqcyvnllxqk.exe 1432 qdhkdqcyvnllxqk.exe 2644 likqxnowcj.exe 2644 likqxnowcj.exe 2644 likqxnowcj.exe 2680 qavfrebohtubm.exe 1340 cpupqzjo.exe 2680 qavfrebohtubm.exe 1340 cpupqzjo.exe 2680 qavfrebohtubm.exe 1340 cpupqzjo.exe 4016 cpupqzjo.exe 4016 cpupqzjo.exe 4016 cpupqzjo.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 1432 qdhkdqcyvnllxqk.exe 1432 qdhkdqcyvnllxqk.exe 1432 qdhkdqcyvnllxqk.exe 2644 likqxnowcj.exe 2644 likqxnowcj.exe 2644 likqxnowcj.exe 2680 qavfrebohtubm.exe 1340 cpupqzjo.exe 2680 qavfrebohtubm.exe 1340 cpupqzjo.exe 2680 qavfrebohtubm.exe 1340 cpupqzjo.exe 4016 cpupqzjo.exe 4016 cpupqzjo.exe 4016 cpupqzjo.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1656 WINWORD.EXE 1656 WINWORD.EXE 1656 WINWORD.EXE 1656 WINWORD.EXE 1656 WINWORD.EXE 1656 WINWORD.EXE 1656 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2644 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 90 PID 2240 wrote to memory of 2644 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 90 PID 2240 wrote to memory of 2644 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 90 PID 2240 wrote to memory of 1432 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 91 PID 2240 wrote to memory of 1432 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 91 PID 2240 wrote to memory of 1432 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 91 PID 2240 wrote to memory of 1340 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 92 PID 2240 wrote to memory of 1340 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 92 PID 2240 wrote to memory of 1340 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 92 PID 2240 wrote to memory of 2680 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 93 PID 2240 wrote to memory of 2680 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 93 PID 2240 wrote to memory of 2680 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 93 PID 2644 wrote to memory of 4016 2644 likqxnowcj.exe 94 PID 2644 wrote to memory of 4016 2644 likqxnowcj.exe 94 PID 2644 wrote to memory of 4016 2644 likqxnowcj.exe 94 PID 2240 wrote to memory of 1656 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 95 PID 2240 wrote to memory of 1656 2240 9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\likqxnowcj.exelikqxnowcj.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\cpupqzjo.exeC:\Windows\system32\cpupqzjo.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4016
-
-
-
C:\Windows\SysWOW64\qdhkdqcyvnllxqk.exeqdhkdqcyvnllxqk.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1432
-
-
C:\Windows\SysWOW64\cpupqzjo.execpupqzjo.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1340
-
-
C:\Windows\SysWOW64\qavfrebohtubm.exeqavfrebohtubm.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2680
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3944 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵PID:4336
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5c33613d25956a4ed0127e3471085c0b0
SHA195cd8966325cd68303e737961acdae7a7680c12b
SHA256e6dd1c945501bf038a80d15db9004feb19ba0ea37827cd5b68a529265720d3ba
SHA5128712229abb86aeff8f34ce42b9234884193edfc74234ba0e55519ad4a6843f523d496cac5c812aa5511dabd575e59f32b247fb5f24972369943c9efdffce9a30
-
Filesize
512KB
MD55e2357caec5db6bfd0e4459f6012532b
SHA1325a5fcd3bd14f907337733296489b3e65ccd4ad
SHA256e3662489cd33753112b37eeba964c71c023113c8095328e00b93b614cb065bda
SHA5123f714fcf1f789461b2bfd6911503f664301b4784fc2ccb269b3b7f1e8f694d8b074ac78ea410a545a301dd7f2c30f743e3068e85f6d49158a8a443ec8364938d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD52d81a84fdb7e0f04863f47abf914da2a
SHA10200a3d549d59baf1a57dcc8e8f62e9ba7db0ca6
SHA256f44b7d0db6a9ee02ea047be545e5e31a5e97416dd6a014a6aec3f3d10d0f6379
SHA5129c105ad455bd856f023aded660577ef9f500c21d4d358a7cf5f8f47b01a8db638ee9db9dc34a44cfe8880d08d806fb66aac613f5ff4ce46f45d0041c1bcde766
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5110f756d96e75a9dbd5510ce2cba44fa
SHA19691d7ccc42ac2a99b00044c5274773841eebf9b
SHA256f9e3729aec45892db0f6f8885a86a90de52c2f112555a8c93bdb6605d2263794
SHA512d2420f5232d468d70006a02f0522f84c530191a644b35b143d73348142e3e17cde53e2f72d6bc906a1fde9b3df845ba9154a276d626e55a06252876c234f5a6d
-
Filesize
512KB
MD51543eac0ff921eedf1c0200b743e5edb
SHA1d566b6c069126f0c37c498c6c5079b7b1d08ba5a
SHA256101187fb354c9509385e82597260d66eed9a28a5b44ab08a3bcdbfe731a31708
SHA512f60afff80cf186dc7c276e1c8b079510f71f602efa65c75b0e7589de108fe2ccd5796e46891917b8ddd3388a6688c6e4641b3a46c31a17ae1bbecf9ee2c297c5
-
Filesize
512KB
MD553c5cd52bd83b751f708d3a59b2a3bfd
SHA122751dfccdc486bfa302fc09fc4e426ad7209e0f
SHA256ef3801bd2898f8e28f9c89075f5949ce0f2b2f5ce99e2687879da32bcc4e8f52
SHA5126cd28bb77949b22ec42915d32b58f219a878c910dbd3f37dd01c9f0d69a18fd3ccfb26af6d41261c62c0fdd409318c9423fb42c7d2396e1b8a68758b4cf97278
-
Filesize
512KB
MD569abb0af771f2f3a6fd6ff6b7f37ab1e
SHA1cca3f2d4b9ce5ad92a3cda6f8c64fa5243a35662
SHA256fd3acf3c2f36cc963e98f17c444b687b964fd2f0fd10e8ffd34b57863f8a16d4
SHA51206b01d3ae7d6a900f51156255f2bef8f0703735b2a7a65e229c6073985a29c9197cc755a4a671d77a65fc4dcff2534644d9006d6b2e556ae68b60191f4c46d0a
-
Filesize
512KB
MD59231d571aeaf0a9b30ba92f371aede2d
SHA16ffd6f2a3a70d2ec1a7e8443486d94234e56f165
SHA256d698f7bd08d99bd21191bf3bc845995bf27e1296e02ac6ab66a7934fec17bb89
SHA512b6888f6e3cb2f9c09b9186a16c0c402dfc5b70b61ce8fcc2953fcb04dc6434e6d5f263d0e12009d59994bbffc830ab3b21ff8929161de3274758f31884e42cee
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5697af234123a4a43b0d58115ed224ce2
SHA1f634b345e99735e7a2548d240c240202804e64b6
SHA2565f19c68e30dc056dcd75fc9ba780e6ff31721920a675b0abc8873182fb0995f9
SHA5121964c399cfc45dc8eeac8aa29b02a8df1f6ff54276e1df175a8891524c917d21c4e9563ecad2a01039b0f90bea43c0d692f09d437495b98320195806c73c005c
-
Filesize
512KB
MD5751485e02e1869cdf93f184d08046938
SHA1bfbc43b01ef7be143e3c6a58a0ca84ef85e26e47
SHA2568ba50f5a593a852651acc149db2bb6ec57c391f7b57038f2f14b8e763b6e0ed4
SHA5126fbf3437ac2e5c4ec4680f4ade16b3ae010fc61db5bf5ceecd2e02dd346509b6c0e633c854d61ea8b5dc5aaf37bb32f583f007cf89a8dbea57804b9748824a50