Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17/06/2024, 07:51
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe
-
Size
512KB
-
MD5
b77c8b39957fbd5ea7a975a087b023f4
-
SHA1
8c79340d37de7a470fceefdfb67c44cb02921c1e
-
SHA256
a9bebb9e46144414c65aa8d75f557e983e20824570cf68aa3f74f3e98fdea859
-
SHA512
254357c3a85a19cd23f3e1e88b87ead7386ac51a1d16334e1f6637167f31a8a537412f8fe73dddffcfe98d1f139fdceecfc988fca4bf0b4acf7a7fdf29d0acd0
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6L:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm50
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" zeddrpedgb.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zeddrpedgb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zeddrpedgb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zeddrpedgb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zeddrpedgb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zeddrpedgb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zeddrpedgb.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zeddrpedgb.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3076 zeddrpedgb.exe 1088 fqjyucwglmyeyci.exe 1644 kpdiotua.exe 724 zhgbjhhjpocnc.exe 5040 kpdiotua.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zeddrpedgb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" zeddrpedgb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zeddrpedgb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zeddrpedgb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zeddrpedgb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zeddrpedgb.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zhgbjhhjpocnc.exe" fqjyucwglmyeyci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\utmvopzq = "zeddrpedgb.exe" fqjyucwglmyeyci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tknksukb = "fqjyucwglmyeyci.exe" fqjyucwglmyeyci.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: zeddrpedgb.exe File opened (read-only) \??\w: zeddrpedgb.exe File opened (read-only) \??\s: kpdiotua.exe File opened (read-only) \??\l: kpdiotua.exe File opened (read-only) \??\n: kpdiotua.exe File opened (read-only) \??\q: zeddrpedgb.exe File opened (read-only) \??\s: zeddrpedgb.exe File opened (read-only) \??\p: zeddrpedgb.exe File opened (read-only) \??\e: kpdiotua.exe File opened (read-only) \??\b: kpdiotua.exe File opened (read-only) \??\y: kpdiotua.exe File opened (read-only) \??\h: kpdiotua.exe File opened (read-only) \??\s: kpdiotua.exe File opened (read-only) \??\u: kpdiotua.exe File opened (read-only) \??\y: kpdiotua.exe File opened (read-only) \??\v: zeddrpedgb.exe File opened (read-only) \??\h: kpdiotua.exe File opened (read-only) \??\t: kpdiotua.exe File opened (read-only) \??\m: kpdiotua.exe File opened (read-only) \??\t: kpdiotua.exe File opened (read-only) \??\g: zeddrpedgb.exe File opened (read-only) \??\a: kpdiotua.exe File opened (read-only) \??\b: kpdiotua.exe File opened (read-only) \??\k: kpdiotua.exe File opened (read-only) \??\j: kpdiotua.exe File opened (read-only) \??\q: kpdiotua.exe File opened (read-only) \??\i: kpdiotua.exe File opened (read-only) \??\a: zeddrpedgb.exe File opened (read-only) \??\l: zeddrpedgb.exe File opened (read-only) \??\o: kpdiotua.exe File opened (read-only) \??\p: kpdiotua.exe File opened (read-only) \??\q: kpdiotua.exe File opened (read-only) \??\z: kpdiotua.exe File opened (read-only) \??\e: kpdiotua.exe File opened (read-only) \??\g: kpdiotua.exe File opened (read-only) \??\m: zeddrpedgb.exe File opened (read-only) \??\i: kpdiotua.exe File opened (read-only) \??\j: kpdiotua.exe File opened (read-only) \??\m: kpdiotua.exe File opened (read-only) \??\u: kpdiotua.exe File opened (read-only) \??\b: zeddrpedgb.exe File opened (read-only) \??\j: zeddrpedgb.exe File opened (read-only) \??\o: zeddrpedgb.exe File opened (read-only) \??\w: kpdiotua.exe File opened (read-only) \??\a: kpdiotua.exe File opened (read-only) \??\w: kpdiotua.exe File opened (read-only) \??\x: kpdiotua.exe File opened (read-only) \??\z: kpdiotua.exe File opened (read-only) \??\n: zeddrpedgb.exe File opened (read-only) \??\x: zeddrpedgb.exe File opened (read-only) \??\y: zeddrpedgb.exe File opened (read-only) \??\x: kpdiotua.exe File opened (read-only) \??\v: kpdiotua.exe File opened (read-only) \??\v: kpdiotua.exe File opened (read-only) \??\e: zeddrpedgb.exe File opened (read-only) \??\r: zeddrpedgb.exe File opened (read-only) \??\g: kpdiotua.exe File opened (read-only) \??\r: kpdiotua.exe File opened (read-only) \??\r: kpdiotua.exe File opened (read-only) \??\k: zeddrpedgb.exe File opened (read-only) \??\t: zeddrpedgb.exe File opened (read-only) \??\k: kpdiotua.exe File opened (read-only) \??\o: kpdiotua.exe File opened (read-only) \??\p: kpdiotua.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" zeddrpedgb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" zeddrpedgb.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4152-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000233b2-5.dat autoit_exe behavioral2/files/0x00090000000233ae-20.dat autoit_exe behavioral2/files/0x00070000000233b3-27.dat autoit_exe behavioral2/files/0x00070000000233b4-32.dat autoit_exe behavioral2/files/0x0003000000000715-57.dat autoit_exe behavioral2/files/0x000a000000016fd9-63.dat autoit_exe behavioral2/files/0x000d00000001db09-69.dat autoit_exe behavioral2/files/0x000d00000001db3f-73.dat autoit_exe behavioral2/files/0x000d00000001db3f-92.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\zhgbjhhjpocnc.exe b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kpdiotua.exe File created C:\Windows\SysWOW64\fqjyucwglmyeyci.exe b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kpdiotua.exe b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe File created C:\Windows\SysWOW64\zeddrpedgb.exe b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kpdiotua.exe File opened for modification C:\Windows\SysWOW64\fqjyucwglmyeyci.exe b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kpdiotua.exe File created C:\Windows\SysWOW64\zhgbjhhjpocnc.exe b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll zeddrpedgb.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kpdiotua.exe File opened for modification C:\Windows\SysWOW64\zeddrpedgb.exe b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe File created C:\Windows\SysWOW64\kpdiotua.exe b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kpdiotua.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kpdiotua.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal kpdiotua.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal kpdiotua.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal kpdiotua.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kpdiotua.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal kpdiotua.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kpdiotua.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kpdiotua.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kpdiotua.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kpdiotua.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kpdiotua.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kpdiotua.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kpdiotua.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kpdiotua.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe kpdiotua.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe kpdiotua.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe kpdiotua.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe kpdiotua.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe kpdiotua.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe kpdiotua.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe kpdiotua.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe kpdiotua.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe kpdiotua.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe kpdiotua.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe kpdiotua.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe kpdiotua.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe kpdiotua.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe kpdiotua.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe kpdiotua.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe kpdiotua.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat zeddrpedgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc zeddrpedgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf zeddrpedgb.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B02A479539EB53B8B9D633E9D7BC" b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFF8F482785139132D72F7D9DBDE7E632593167446330D7EE" b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F468B1FE6922DED27FD1D58B08906B" b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs zeddrpedgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302C7D9C2D83206D3E77D070232CDA7DF264DB" b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C67A15ECDAB0B9BE7FE1ED9534CB" b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" zeddrpedgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACAF9CCF967F29084753B42819C3996B0FA02F94261033CE2BE429C08A3" b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg zeddrpedgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" zeddrpedgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" zeddrpedgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh zeddrpedgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" zeddrpedgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" zeddrpedgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" zeddrpedgb.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2764 WINWORD.EXE 2764 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 3076 zeddrpedgb.exe 3076 zeddrpedgb.exe 3076 zeddrpedgb.exe 3076 zeddrpedgb.exe 3076 zeddrpedgb.exe 3076 zeddrpedgb.exe 3076 zeddrpedgb.exe 3076 zeddrpedgb.exe 3076 zeddrpedgb.exe 3076 zeddrpedgb.exe 1088 fqjyucwglmyeyci.exe 1088 fqjyucwglmyeyci.exe 1088 fqjyucwglmyeyci.exe 1088 fqjyucwglmyeyci.exe 1088 fqjyucwglmyeyci.exe 1088 fqjyucwglmyeyci.exe 1088 fqjyucwglmyeyci.exe 1088 fqjyucwglmyeyci.exe 1088 fqjyucwglmyeyci.exe 1088 fqjyucwglmyeyci.exe 1644 kpdiotua.exe 1644 kpdiotua.exe 1644 kpdiotua.exe 1644 kpdiotua.exe 1644 kpdiotua.exe 1644 kpdiotua.exe 1644 kpdiotua.exe 1644 kpdiotua.exe 724 zhgbjhhjpocnc.exe 724 zhgbjhhjpocnc.exe 724 zhgbjhhjpocnc.exe 724 zhgbjhhjpocnc.exe 724 zhgbjhhjpocnc.exe 724 zhgbjhhjpocnc.exe 724 zhgbjhhjpocnc.exe 724 zhgbjhhjpocnc.exe 724 zhgbjhhjpocnc.exe 724 zhgbjhhjpocnc.exe 724 zhgbjhhjpocnc.exe 724 zhgbjhhjpocnc.exe 5040 kpdiotua.exe 5040 kpdiotua.exe 5040 kpdiotua.exe 5040 kpdiotua.exe 5040 kpdiotua.exe 5040 kpdiotua.exe 5040 kpdiotua.exe 5040 kpdiotua.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 3076 zeddrpedgb.exe 3076 zeddrpedgb.exe 3076 zeddrpedgb.exe 1088 fqjyucwglmyeyci.exe 1088 fqjyucwglmyeyci.exe 1088 fqjyucwglmyeyci.exe 1644 kpdiotua.exe 1644 kpdiotua.exe 1644 kpdiotua.exe 724 zhgbjhhjpocnc.exe 724 zhgbjhhjpocnc.exe 724 zhgbjhhjpocnc.exe 5040 kpdiotua.exe 5040 kpdiotua.exe 5040 kpdiotua.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 3076 zeddrpedgb.exe 3076 zeddrpedgb.exe 3076 zeddrpedgb.exe 1088 fqjyucwglmyeyci.exe 1088 fqjyucwglmyeyci.exe 1088 fqjyucwglmyeyci.exe 1644 kpdiotua.exe 1644 kpdiotua.exe 1644 kpdiotua.exe 724 zhgbjhhjpocnc.exe 724 zhgbjhhjpocnc.exe 724 zhgbjhhjpocnc.exe 5040 kpdiotua.exe 5040 kpdiotua.exe 5040 kpdiotua.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2764 WINWORD.EXE 2764 WINWORD.EXE 2764 WINWORD.EXE 2764 WINWORD.EXE 2764 WINWORD.EXE 2764 WINWORD.EXE 2764 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4152 wrote to memory of 3076 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 81 PID 4152 wrote to memory of 3076 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 81 PID 4152 wrote to memory of 3076 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 81 PID 4152 wrote to memory of 1088 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 82 PID 4152 wrote to memory of 1088 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 82 PID 4152 wrote to memory of 1088 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 82 PID 4152 wrote to memory of 1644 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 83 PID 4152 wrote to memory of 1644 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 83 PID 4152 wrote to memory of 1644 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 83 PID 4152 wrote to memory of 724 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 84 PID 4152 wrote to memory of 724 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 84 PID 4152 wrote to memory of 724 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 84 PID 4152 wrote to memory of 2764 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 85 PID 4152 wrote to memory of 2764 4152 b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe 85 PID 3076 wrote to memory of 5040 3076 zeddrpedgb.exe 87 PID 3076 wrote to memory of 5040 3076 zeddrpedgb.exe 87 PID 3076 wrote to memory of 5040 3076 zeddrpedgb.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\zeddrpedgb.exezeddrpedgb.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\kpdiotua.exeC:\Windows\system32\kpdiotua.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5040
-
-
-
C:\Windows\SysWOW64\fqjyucwglmyeyci.exefqjyucwglmyeyci.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1088
-
-
C:\Windows\SysWOW64\kpdiotua.exekpdiotua.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1644
-
-
C:\Windows\SysWOW64\zhgbjhhjpocnc.exezhgbjhhjpocnc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:724
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2764
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD58a04a4a2b83534148f5edee2b0a7fee7
SHA141824fcde15a8658584fd95c3fa46ca86bb00501
SHA2566bc94f8f7f7c4612c93e4168fe5621d040e44c9f9f0233042e04dcc51e747cfa
SHA512f648d9a5076d7df4756f93e3739dbeba0876fd62a6c39aa0a7feb6bd5b09caf93cfdcb02f23351b19378a76302668a65f5ae57c5a54166badf343f6acfd8509e
-
Filesize
512KB
MD557db9a47c3c30d534eb99a4f3dcb195b
SHA1ce5a26adc58b6ac71db1af5b2e477021f044be79
SHA2567199944da39956a4bc46e217d5793c7da128dc6fb8131d2b615e88aadebd19cc
SHA5129a4aeb6bfd314443637053db12f6c8888650e3f72ab0afaeab20c932783953d5fc5c5bdcf1c00cf067579ee26c8ac2d51ee57ab64422bdd16ee2924324f93408
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5c0c5974bb3b01b3ff7b98ec7f54de44e
SHA1a601ab848a4c6c14ea6e72af33560b882422c901
SHA256afd44323779b22afb4057a347dedfd4853bb54da5e23422d9c601af2b3f92945
SHA51257e8bd6d63609726292dd1c02252a27e56449f0849e34afb998d65250aaeb14ca028043df1ef590ca76873a750a4ab3acb203cd83d3e15f76c504e197084c89f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e754797c1d7e815b217db0a0a4335979
SHA1c7037628b062734c3b95ab24814e258986de49f8
SHA256417b0e00ad59ed086b6a13f4dfbcc9739271e47789397b8bd9612561fe6db5da
SHA5122de8372179f0bc2ca04dd15ff6ba01d6252fe86a7bd20585b405c3949f0ec03f51ab936eaf8892b3608a723cbd61674125274e416cc03319c98dd023d3c01c79
-
Filesize
512KB
MD52ab41e172969867d4a792546dcc7e6ff
SHA19df2988b99b6a228e96377e303715d348cc550ac
SHA256f9cb12e4e5a8ea68668c285145b62618f92ccc105922701a62667cec1ab3d453
SHA5127c03cd8b54036148ec8ccd358e7150bce3f03d7ea44b70c9695061b2fbf4106414841d86f7ce2aad19349195d71e2b8b86733526e2a22070401305293871e022
-
Filesize
512KB
MD5ce7fc93e0118deae4ed7be5727cb2ca5
SHA14e490c80e94419a13b5a97e19064ca02db02733f
SHA256dc6b8da21b84c39b6a4af24755d8791fd3ba47c035741bfb532de8b262a9a954
SHA512a5c90302665717c401dd591472812ceed203a40f26d8488a34ebd92bb65e830891cb325260ce62c180ea83caa0f8e98efd096dc37db53411b62ade84cba44bc2
-
Filesize
512KB
MD57e2111bae5dac74b5df7b40761835d06
SHA1f5ace8510bd10d46678f7db63ed04353c46c96bc
SHA256fa7863202549159b295f3a8a51f82311a5546072f331b2cc8d9cd75305bc18f6
SHA512155b9556e4578ca4b1a50421c77fbdcbc76b305f4812e032bb76aa481383f48c11883b1ec9fc93863bae3f5c3bcff1ba15c63c7125e7148637c0baeb2fde6329
-
Filesize
512KB
MD5b08d84530516c392d1427202609b2096
SHA128cd2b13feae19f835c65e58f0e0b6ba45de299e
SHA2567e8a791a54a09e87e3af89a3b08b7770c2a81aded998873611cbab73981e3e7e
SHA512df1e5bc2e93c94dfd3d6957425246d00d00ed4e11e35fa62e591abe997bd912f8bc9d25b19c679eee2a07e226464c2640a447136776b960483c8b4b8ac3c98b6
-
Filesize
512KB
MD5e3f392b9f6038bd0d28f601a92b640ab
SHA1eab9f7b6f983f9dfabe2593acf7495808924de2f
SHA256162ae1d08335f3483e06179085731c8e82b19dbc661be9168ca2b9be4a201978
SHA5127e9835b5ff9c1c8b4a5bf15548ca196b9af936e699bd3845e663cde5bf2eae704978ce8290893347d1ff5b316f966e4f82b08e0d5594fc9fd24b89e153417455
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD52c1cc7d25a24e5bb770172958c1355a1
SHA1777e257ab6570548ad25dbf0881c2aa0fd2fafd4
SHA256e0b9725ac248d6ae264f6389c346f32d8ca41459f0e6105a7d7bf113b326f0b9
SHA512e026f6b24e271b272c25163286433ec1a7ae259cf99cefe191445e29f119823f9ebba1bd9fa67bac768d06a91dfc151dfa36dc54d24a8f9acec0f8f2049090d4
-
Filesize
512KB
MD595581deb80411bed643796d2bcc6c412
SHA15672946e9ec29287737213c02f60c1586d40c8fe
SHA2561ac21b1b998a7287d9baf7fb253b88c99f439b58b7e9342d895a2a9eeac02264
SHA512f44ff3e8cf8e29b563d020a4b65bf6566ccc486b8e9a04494d5797616884905d270a894fdd11b35dcecb169e11d08cafdd2b74a94395974638ca54cab058a656