Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/06/2024, 22:01
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe
Resource
win7-20240611-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe
-
Size
512KB
-
MD5
b04f559d9c4c4394fd54c78c1294b180
-
SHA1
20e59d102e6a1bc1143ec19cde175a8cb9fd31fe
-
SHA256
1e45e8d4d72a0cf76f0125bc5215160e5728017008ba28394ad0524f28d554cc
-
SHA512
12d5e6dd8c5d6d77e485318a64393cae584e1ede26969f8f45c8a646c566f81ecae22af29cef1268739e72aac52260c41937edd2758b7e657f71bcd1c80cdcf0
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj68:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5j
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" elcqjnawir.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" elcqjnawir.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" elcqjnawir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" elcqjnawir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" elcqjnawir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" elcqjnawir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" elcqjnawir.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" elcqjnawir.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4136 elcqjnawir.exe 2448 mkviwinw.exe 3848 njeixyaymwozxra.exe 4184 wulmlakqrknkc.exe 4596 mkviwinw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" elcqjnawir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" elcqjnawir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" elcqjnawir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" elcqjnawir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" elcqjnawir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" elcqjnawir.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oxmxfirn = "elcqjnawir.exe" njeixyaymwozxra.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhrtwjre = "njeixyaymwozxra.exe" njeixyaymwozxra.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wulmlakqrknkc.exe" njeixyaymwozxra.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\y: mkviwinw.exe File opened (read-only) \??\o: mkviwinw.exe File opened (read-only) \??\p: mkviwinw.exe File opened (read-only) \??\w: mkviwinw.exe File opened (read-only) \??\n: elcqjnawir.exe File opened (read-only) \??\w: elcqjnawir.exe File opened (read-only) \??\v: mkviwinw.exe File opened (read-only) \??\w: mkviwinw.exe File opened (read-only) \??\j: mkviwinw.exe File opened (read-only) \??\n: mkviwinw.exe File opened (read-only) \??\q: mkviwinw.exe File opened (read-only) \??\o: elcqjnawir.exe File opened (read-only) \??\z: elcqjnawir.exe File opened (read-only) \??\p: mkviwinw.exe File opened (read-only) \??\r: mkviwinw.exe File opened (read-only) \??\o: mkviwinw.exe File opened (read-only) \??\u: mkviwinw.exe File opened (read-only) \??\z: mkviwinw.exe File opened (read-only) \??\j: elcqjnawir.exe File opened (read-only) \??\q: elcqjnawir.exe File opened (read-only) \??\x: elcqjnawir.exe File opened (read-only) \??\n: mkviwinw.exe File opened (read-only) \??\h: mkviwinw.exe File opened (read-only) \??\h: elcqjnawir.exe File opened (read-only) \??\j: mkviwinw.exe File opened (read-only) \??\s: mkviwinw.exe File opened (read-only) \??\i: mkviwinw.exe File opened (read-only) \??\z: mkviwinw.exe File opened (read-only) \??\l: mkviwinw.exe File opened (read-only) \??\t: mkviwinw.exe File opened (read-only) \??\g: elcqjnawir.exe File opened (read-only) \??\r: elcqjnawir.exe File opened (read-only) \??\p: elcqjnawir.exe File opened (read-only) \??\s: elcqjnawir.exe File opened (read-only) \??\b: mkviwinw.exe File opened (read-only) \??\u: mkviwinw.exe File opened (read-only) \??\i: mkviwinw.exe File opened (read-only) \??\k: mkviwinw.exe File opened (read-only) \??\a: elcqjnawir.exe File opened (read-only) \??\b: elcqjnawir.exe File opened (read-only) \??\q: mkviwinw.exe File opened (read-only) \??\r: mkviwinw.exe File opened (read-only) \??\s: mkviwinw.exe File opened (read-only) \??\k: elcqjnawir.exe File opened (read-only) \??\m: elcqjnawir.exe File opened (read-only) \??\y: mkviwinw.exe File opened (read-only) \??\m: mkviwinw.exe File opened (read-only) \??\e: elcqjnawir.exe File opened (read-only) \??\v: elcqjnawir.exe File opened (read-only) \??\y: elcqjnawir.exe File opened (read-only) \??\t: mkviwinw.exe File opened (read-only) \??\x: mkviwinw.exe File opened (read-only) \??\e: mkviwinw.exe File opened (read-only) \??\h: mkviwinw.exe File opened (read-only) \??\l: mkviwinw.exe File opened (read-only) \??\b: mkviwinw.exe File opened (read-only) \??\e: mkviwinw.exe File opened (read-only) \??\i: elcqjnawir.exe File opened (read-only) \??\g: mkviwinw.exe File opened (read-only) \??\l: elcqjnawir.exe File opened (read-only) \??\t: elcqjnawir.exe File opened (read-only) \??\m: mkviwinw.exe File opened (read-only) \??\a: mkviwinw.exe File opened (read-only) \??\v: mkviwinw.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" elcqjnawir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" elcqjnawir.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3836-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00090000000233ed-5.dat autoit_exe behavioral2/files/0x000700000002328e-18.dat autoit_exe behavioral2/files/0x00070000000233f1-23.dat autoit_exe behavioral2/files/0x00070000000233f2-31.dat autoit_exe behavioral2/files/0x0006000000016952-57.dat autoit_exe behavioral2/files/0x000a000000016fb1-60.dat autoit_exe behavioral2/files/0x000600000001db0e-66.dat autoit_exe behavioral2/files/0x000400000001e0ab-86.dat autoit_exe behavioral2/files/0x000400000001e0ab-91.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\mkviwinw.exe b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mkviwinw.exe b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe File created C:\Windows\SysWOW64\wulmlakqrknkc.exe b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll elcqjnawir.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mkviwinw.exe File created C:\Windows\SysWOW64\elcqjnawir.exe b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\elcqjnawir.exe b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\njeixyaymwozxra.exe b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mkviwinw.exe File created C:\Windows\SysWOW64\njeixyaymwozxra.exe b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wulmlakqrknkc.exe b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mkviwinw.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mkviwinw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mkviwinw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mkviwinw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mkviwinw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mkviwinw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mkviwinw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mkviwinw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mkviwinw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mkviwinw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mkviwinw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mkviwinw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mkviwinw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mkviwinw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mkviwinw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mkviwinw.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mkviwinw.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mkviwinw.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mkviwinw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mkviwinw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mkviwinw.exe File opened for modification C:\Windows\mydoc.rtf b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mkviwinw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mkviwinw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mkviwinw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mkviwinw.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mkviwinw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mkviwinw.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mkviwinw.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mkviwinw.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mkviwinw.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mkviwinw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mkviwinw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78768C4FE6922D0D209D0A78B7B9164" b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat elcqjnawir.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh elcqjnawir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFC82482C851C9134D75F7DE5BC97E630593567326335D7EE" b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" elcqjnawir.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs elcqjnawir.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABBFABEF913F19084783A31869A3E98B0F9038843670233E2BD459B08D2" b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf elcqjnawir.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg elcqjnawir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" elcqjnawir.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33462C0F9C5182276A3676A570272DD97D8765DB" b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B121449339EB52C9BAA2329BD4BE" b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C67914E0DBBFB9BA7C97ECE734CC" b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" elcqjnawir.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc elcqjnawir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" elcqjnawir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" elcqjnawir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" elcqjnawir.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3628 WINWORD.EXE 3628 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 2448 mkviwinw.exe 2448 mkviwinw.exe 2448 mkviwinw.exe 2448 mkviwinw.exe 2448 mkviwinw.exe 2448 mkviwinw.exe 2448 mkviwinw.exe 2448 mkviwinw.exe 3848 njeixyaymwozxra.exe 3848 njeixyaymwozxra.exe 3848 njeixyaymwozxra.exe 3848 njeixyaymwozxra.exe 3848 njeixyaymwozxra.exe 3848 njeixyaymwozxra.exe 3848 njeixyaymwozxra.exe 3848 njeixyaymwozxra.exe 4136 elcqjnawir.exe 4136 elcqjnawir.exe 4136 elcqjnawir.exe 4136 elcqjnawir.exe 4136 elcqjnawir.exe 4136 elcqjnawir.exe 4136 elcqjnawir.exe 4136 elcqjnawir.exe 4136 elcqjnawir.exe 4136 elcqjnawir.exe 3848 njeixyaymwozxra.exe 3848 njeixyaymwozxra.exe 4184 wulmlakqrknkc.exe 4184 wulmlakqrknkc.exe 4184 wulmlakqrknkc.exe 4184 wulmlakqrknkc.exe 4184 wulmlakqrknkc.exe 4184 wulmlakqrknkc.exe 4184 wulmlakqrknkc.exe 4184 wulmlakqrknkc.exe 4184 wulmlakqrknkc.exe 4184 wulmlakqrknkc.exe 4184 wulmlakqrknkc.exe 4184 wulmlakqrknkc.exe 4596 mkviwinw.exe 4596 mkviwinw.exe 4596 mkviwinw.exe 4596 mkviwinw.exe 4596 mkviwinw.exe 4596 mkviwinw.exe 4596 mkviwinw.exe 4596 mkviwinw.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 2448 mkviwinw.exe 2448 mkviwinw.exe 2448 mkviwinw.exe 3848 njeixyaymwozxra.exe 4136 elcqjnawir.exe 3848 njeixyaymwozxra.exe 3848 njeixyaymwozxra.exe 4136 elcqjnawir.exe 4136 elcqjnawir.exe 4184 wulmlakqrknkc.exe 4184 wulmlakqrknkc.exe 4184 wulmlakqrknkc.exe 4596 mkviwinw.exe 4596 mkviwinw.exe 4596 mkviwinw.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 2448 mkviwinw.exe 2448 mkviwinw.exe 2448 mkviwinw.exe 3848 njeixyaymwozxra.exe 4136 elcqjnawir.exe 3848 njeixyaymwozxra.exe 3848 njeixyaymwozxra.exe 4136 elcqjnawir.exe 4136 elcqjnawir.exe 4184 wulmlakqrknkc.exe 4184 wulmlakqrknkc.exe 4184 wulmlakqrknkc.exe 4596 mkviwinw.exe 4596 mkviwinw.exe 4596 mkviwinw.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3836 wrote to memory of 4136 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 83 PID 3836 wrote to memory of 4136 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 83 PID 3836 wrote to memory of 4136 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 83 PID 3836 wrote to memory of 3848 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 84 PID 3836 wrote to memory of 3848 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 84 PID 3836 wrote to memory of 3848 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 84 PID 3836 wrote to memory of 2448 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 85 PID 3836 wrote to memory of 2448 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 85 PID 3836 wrote to memory of 2448 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 85 PID 3836 wrote to memory of 4184 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 86 PID 3836 wrote to memory of 4184 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 86 PID 3836 wrote to memory of 4184 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 86 PID 3836 wrote to memory of 3628 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 87 PID 3836 wrote to memory of 3628 3836 b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe 87 PID 4136 wrote to memory of 4596 4136 elcqjnawir.exe 89 PID 4136 wrote to memory of 4596 4136 elcqjnawir.exe 89 PID 4136 wrote to memory of 4596 4136 elcqjnawir.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\elcqjnawir.exeelcqjnawir.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\mkviwinw.exeC:\Windows\system32\mkviwinw.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4596
-
-
-
C:\Windows\SysWOW64\njeixyaymwozxra.exenjeixyaymwozxra.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3848
-
-
C:\Windows\SysWOW64\mkviwinw.exemkviwinw.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2448
-
-
C:\Windows\SysWOW64\wulmlakqrknkc.exewulmlakqrknkc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4184
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3628
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5517748a0a1f7335856125c9ea6ef6f18
SHA194b43512e89bcb7de2a4229d5d6cfe6ecaab02e3
SHA256cc943e3a7be3181e3a194aa662c4b48f5d9b22ee8a8e67dcee655e23033e3baa
SHA51241cf2ba64dd4d97a721d6c9a3c6b894ffe2f06cb94a1d15464de16f08e0804af14657e8cc8e6a467399ede1c6502b6c48a3aaedaafc74d9f9ca1adea9b14116d
-
Filesize
512KB
MD56a9a0e7210cf509652ae1e2f03ca70be
SHA1992c583e7f81e1993c54cb52c4e53361bb500940
SHA256249f07d479f751cb9b913bb8e55f60d71ebc36364762379313504d8e17333cca
SHA5124ccd879bb62f9b26de1319efcf630f677205c302cbeb954259c2859a65723dbf51b25e814f116d62ea52e37f9855746dfa90edcacfb23fb56e80cb2915e1e331
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5966b3b85d3e15231f6a55e7641e086b4
SHA187472f75445fe8f9b5348b193898296e1f1227d2
SHA25659e72ffb3d4e75353723970c5381e8b5723dad0dbcbb42a0d3e5eed6227a6687
SHA512fc25b4b933ec0a8f70fce232a98426992502de817b41d21810fe9a96c9e862a673e4c4b9d69d8e5c0faaf5be8151e866d23dc71141d45bbe0765805454aa0326
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD560da20b5cfb07e8d7cb89629ca266629
SHA12c625465e96e2481efa98af81584e9f8a43ee87a
SHA2567787becbdb5a0136fb8cfe85613ef6e498f14a612b3a34fe65ce86eb1201dc1c
SHA512ef835bfc06e5803de68053bd5e2ea02289978791f06a65115b7aac9fb84a79a353934a9576a75c0a6129e1387b91210c3cec954a844be926997de7f980483747
-
Filesize
512KB
MD5fab9e56f61d88255af97c596c93df690
SHA1059a3464ebec3bac42b72a2d39f49e0f0e30ba4c
SHA256978a8daa14b982a2d60bb0c575d3e98d20afcb648996e2029cad7bce9c88d8ec
SHA5128bc0aeec56c3ca9ec4c56e8d9de1d11f5e402962820e7a55b3164504d750a4e07b58c52356927aacfafd5b3d167cb7e26e410f95f9005c5fbdd778d1f3a40547
-
Filesize
512KB
MD5010461603ffc9c0be0e62d6ed2fd176b
SHA1eefe235f7aba0234bcf110e0045c09080206d02b
SHA25622586c7923d2d0b259e514df9437dcbc764a78c8660f74a350036fa4988091aa
SHA51284ea9f48d8dd6f7160c16beb04a5fc222df448435c9df1dd9ebd3ce15c463f8bfc04ba91cfcf1d613b9a638292fb3552aa79c329b858331f7494b9b6a514acce
-
Filesize
512KB
MD5695a7e555e8b419202c82e4603599050
SHA1bdd2bbfa2f8c14566810967ddc905e760b48984f
SHA2564e9d7f5885cfa2f6e50637083b7a2907f8caef7c8d14723da24bc0426d39c2e8
SHA5125d47ae59941b0b45415cd3c1c3c77d3125187c22a891b6be6bc51f47014b0b39463c01be304e909abb3d2483b3691883e8fc378b3aba0cc8b47957f0b55c8445
-
Filesize
512KB
MD5b5e8b6c97536ad21b7c4099493527844
SHA1a22b47639b4b21976a1babf3c8b217d7855b845e
SHA2560ba51a0d3c9688f6019429c5e2434a1b51a627d44a24fbe4bdd9719f723329e7
SHA512e4a644a217bd6dc69f2ec231ac99e37fc36023af560f584c908705cd75bfa02ca63b96af1922fb3d665768db121bae411a207d4a560cf4056b49aec85baf38e5
-
Filesize
512KB
MD5861bce5086e1294434dfc27d60a2c56a
SHA18ef59649655cadfe333bf0f8b46ec57f5d099ce4
SHA2565d0baf32d978e1e2e4f19b31354dfacc0479abf3723809c33c807870f1d196b7
SHA512fbfce98d73213885489c77cbabd66bcb6c3377cd90c71087f6e65cd82c70b2605664faba2679fa325dd100cadee9da2a584ce8d49e4843a8addcdf0fc806c345
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD528f2fcbcf4f903e3eb2e07f792c32779
SHA196c8d296b289f28ffa130433c70b57e66cbe8b22
SHA256ebe00fcf6a44737feb3357ce3c6aebcbae3f98e390dfc0577ef6ae62975cbfad
SHA5126bcd9c4406b981a4b900f26b8f2ded71008223d71eac131df050d8af2284b80535e940dbdd133d451701e0b3dcf8c94da81f12247dea7326cac8de9721ce5257
-
Filesize
512KB
MD55ddcc11bbc96042128234d00f1dba031
SHA10b75a30019cd6464bde2ddc83c8342b0e0ad2b2b
SHA2563d86bb6ca2b3433696236567e94e86fb0a219ac0c749c3260017f23636e29ff8
SHA512b961ab36dc9bceac65b958e050e3845faa3f40f257e75a6dbf5f50aa6628c77217f65b6a26ff08401b84e52be31794d3b853c50b489ce49780622863b4ca4cba