Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
17/06/2024, 12:13
Static task
static1
Behavioral task
behavioral1
Sample
b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe
-
Size
512KB
-
MD5
b88f3160a897a6b88c253bc964821ef5
-
SHA1
b32e26c0460852055d2999cf52a3f90a03c8e6d8
-
SHA256
049c0d29eec24d6ec5ab2fe67ba97837eed35b0a5414a56d78a4f37024bc12d5
-
SHA512
18c81fc85bf1b5de5db59f6f60573b57ecb8b344f923fdf0f84a0179a70c15b15eeab89d55a1d78c6949136a462cfce730898488f557f4880567970c73b2baf7
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6h:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5C
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" fppgsclmtv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fppgsclmtv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fppgsclmtv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fppgsclmtv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fppgsclmtv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fppgsclmtv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" fppgsclmtv.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fppgsclmtv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1108 fppgsclmtv.exe 1940 mhtxuodcxgevmxj.exe 1148 vkvmunph.exe 1888 oxwuygtppbpfn.exe 1364 vkvmunph.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" fppgsclmtv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fppgsclmtv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fppgsclmtv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fppgsclmtv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" fppgsclmtv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fppgsclmtv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zbdlpjkx = "fppgsclmtv.exe" mhtxuodcxgevmxj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgwklctd = "mhtxuodcxgevmxj.exe" mhtxuodcxgevmxj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "oxwuygtppbpfn.exe" mhtxuodcxgevmxj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: vkvmunph.exe File opened (read-only) \??\i: vkvmunph.exe File opened (read-only) \??\a: vkvmunph.exe File opened (read-only) \??\j: fppgsclmtv.exe File opened (read-only) \??\k: fppgsclmtv.exe File opened (read-only) \??\a: vkvmunph.exe File opened (read-only) \??\r: vkvmunph.exe File opened (read-only) \??\v: vkvmunph.exe File opened (read-only) \??\l: fppgsclmtv.exe File opened (read-only) \??\o: fppgsclmtv.exe File opened (read-only) \??\z: vkvmunph.exe File opened (read-only) \??\s: fppgsclmtv.exe File opened (read-only) \??\h: vkvmunph.exe File opened (read-only) \??\n: vkvmunph.exe File opened (read-only) \??\t: vkvmunph.exe File opened (read-only) \??\x: vkvmunph.exe File opened (read-only) \??\z: vkvmunph.exe File opened (read-only) \??\z: fppgsclmtv.exe File opened (read-only) \??\p: vkvmunph.exe File opened (read-only) \??\b: vkvmunph.exe File opened (read-only) \??\i: fppgsclmtv.exe File opened (read-only) \??\m: vkvmunph.exe File opened (read-only) \??\q: vkvmunph.exe File opened (read-only) \??\s: vkvmunph.exe File opened (read-only) \??\o: vkvmunph.exe File opened (read-only) \??\k: vkvmunph.exe File opened (read-only) \??\q: vkvmunph.exe File opened (read-only) \??\w: vkvmunph.exe File opened (read-only) \??\p: fppgsclmtv.exe File opened (read-only) \??\q: fppgsclmtv.exe File opened (read-only) \??\r: fppgsclmtv.exe File opened (read-only) \??\h: vkvmunph.exe File opened (read-only) \??\i: vkvmunph.exe File opened (read-only) \??\r: vkvmunph.exe File opened (read-only) \??\s: vkvmunph.exe File opened (read-only) \??\v: vkvmunph.exe File opened (read-only) \??\h: fppgsclmtv.exe File opened (read-only) \??\m: vkvmunph.exe File opened (read-only) \??\b: fppgsclmtv.exe File opened (read-only) \??\w: fppgsclmtv.exe File opened (read-only) \??\j: vkvmunph.exe File opened (read-only) \??\k: vkvmunph.exe File opened (read-only) \??\t: vkvmunph.exe File opened (read-only) \??\p: vkvmunph.exe File opened (read-only) \??\u: fppgsclmtv.exe File opened (read-only) \??\x: fppgsclmtv.exe File opened (read-only) \??\y: fppgsclmtv.exe File opened (read-only) \??\e: vkvmunph.exe File opened (read-only) \??\l: vkvmunph.exe File opened (read-only) \??\g: fppgsclmtv.exe File opened (read-only) \??\x: vkvmunph.exe File opened (read-only) \??\o: vkvmunph.exe File opened (read-only) \??\y: vkvmunph.exe File opened (read-only) \??\n: vkvmunph.exe File opened (read-only) \??\w: vkvmunph.exe File opened (read-only) \??\j: vkvmunph.exe File opened (read-only) \??\a: fppgsclmtv.exe File opened (read-only) \??\g: vkvmunph.exe File opened (read-only) \??\g: vkvmunph.exe File opened (read-only) \??\y: vkvmunph.exe File opened (read-only) \??\u: vkvmunph.exe File opened (read-only) \??\m: fppgsclmtv.exe File opened (read-only) \??\n: fppgsclmtv.exe File opened (read-only) \??\t: fppgsclmtv.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" fppgsclmtv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" fppgsclmtv.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2324-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023527-5.dat autoit_exe behavioral2/files/0x0009000000023520-18.dat autoit_exe behavioral2/files/0x0007000000023529-31.dat autoit_exe behavioral2/files/0x0007000000023528-29.dat autoit_exe behavioral2/files/0x0004000000022a71-64.dat autoit_exe behavioral2/files/0x000800000002350b-75.dat autoit_exe behavioral2/files/0x0008000000023540-81.dat autoit_exe behavioral2/files/0x0008000000023542-87.dat autoit_exe behavioral2/files/0x0008000000023543-107.dat autoit_exe behavioral2/files/0x0008000000023543-115.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\fppgsclmtv.exe b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vkvmunph.exe File created C:\Windows\SysWOW64\fppgsclmtv.exe b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe File created C:\Windows\SysWOW64\mhtxuodcxgevmxj.exe b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe File created C:\Windows\SysWOW64\vkvmunph.exe b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll fppgsclmtv.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vkvmunph.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vkvmunph.exe File opened for modification C:\Windows\SysWOW64\mhtxuodcxgevmxj.exe b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vkvmunph.exe b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vkvmunph.exe File created C:\Windows\SysWOW64\oxwuygtppbpfn.exe b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\oxwuygtppbpfn.exe b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vkvmunph.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vkvmunph.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vkvmunph.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vkvmunph.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vkvmunph.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vkvmunph.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vkvmunph.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vkvmunph.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vkvmunph.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vkvmunph.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vkvmunph.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vkvmunph.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vkvmunph.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vkvmunph.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vkvmunph.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vkvmunph.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vkvmunph.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vkvmunph.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vkvmunph.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vkvmunph.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vkvmunph.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vkvmunph.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vkvmunph.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vkvmunph.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vkvmunph.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vkvmunph.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vkvmunph.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vkvmunph.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vkvmunph.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vkvmunph.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vkvmunph.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452D789D5083586D3F76D370532CAC7CF365DF" b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0806BB7FE1B21ABD10BD0A48A0B9062" b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" fppgsclmtv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" fppgsclmtv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" fppgsclmtv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc fppgsclmtv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" fppgsclmtv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB8FABCFE10F29184753B37869F3992B3FE02884314023FE1BA45E808A0" b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B121449339EF52CBBADC33EED7CE" b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFC8F4F27826D9031D7207E91BC94E632594566476341D79A" b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat fppgsclmtv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" fppgsclmtv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg fppgsclmtv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf fppgsclmtv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs fppgsclmtv.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC60F14E5DAB0B8C87CE7ECE534CD" b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh fppgsclmtv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" fppgsclmtv.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2360 WINWORD.EXE 2360 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 1148 vkvmunph.exe 1148 vkvmunph.exe 1148 vkvmunph.exe 1148 vkvmunph.exe 1148 vkvmunph.exe 1148 vkvmunph.exe 1148 vkvmunph.exe 1148 vkvmunph.exe 1940 mhtxuodcxgevmxj.exe 1940 mhtxuodcxgevmxj.exe 1940 mhtxuodcxgevmxj.exe 1940 mhtxuodcxgevmxj.exe 1940 mhtxuodcxgevmxj.exe 1940 mhtxuodcxgevmxj.exe 1940 mhtxuodcxgevmxj.exe 1940 mhtxuodcxgevmxj.exe 1108 fppgsclmtv.exe 1108 fppgsclmtv.exe 1108 fppgsclmtv.exe 1108 fppgsclmtv.exe 1108 fppgsclmtv.exe 1108 fppgsclmtv.exe 1108 fppgsclmtv.exe 1108 fppgsclmtv.exe 1108 fppgsclmtv.exe 1108 fppgsclmtv.exe 1940 mhtxuodcxgevmxj.exe 1940 mhtxuodcxgevmxj.exe 1888 oxwuygtppbpfn.exe 1888 oxwuygtppbpfn.exe 1888 oxwuygtppbpfn.exe 1888 oxwuygtppbpfn.exe 1888 oxwuygtppbpfn.exe 1888 oxwuygtppbpfn.exe 1888 oxwuygtppbpfn.exe 1888 oxwuygtppbpfn.exe 1888 oxwuygtppbpfn.exe 1888 oxwuygtppbpfn.exe 1888 oxwuygtppbpfn.exe 1888 oxwuygtppbpfn.exe 1364 vkvmunph.exe 1364 vkvmunph.exe 1364 vkvmunph.exe 1364 vkvmunph.exe 1364 vkvmunph.exe 1364 vkvmunph.exe 1364 vkvmunph.exe 1364 vkvmunph.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 1940 mhtxuodcxgevmxj.exe 1148 vkvmunph.exe 1940 mhtxuodcxgevmxj.exe 1148 vkvmunph.exe 1940 mhtxuodcxgevmxj.exe 1148 vkvmunph.exe 1108 fppgsclmtv.exe 1108 fppgsclmtv.exe 1108 fppgsclmtv.exe 1888 oxwuygtppbpfn.exe 1888 oxwuygtppbpfn.exe 1888 oxwuygtppbpfn.exe 1364 vkvmunph.exe 1364 vkvmunph.exe 1364 vkvmunph.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 1940 mhtxuodcxgevmxj.exe 1148 vkvmunph.exe 1940 mhtxuodcxgevmxj.exe 1148 vkvmunph.exe 1940 mhtxuodcxgevmxj.exe 1148 vkvmunph.exe 1108 fppgsclmtv.exe 1108 fppgsclmtv.exe 1108 fppgsclmtv.exe 1888 oxwuygtppbpfn.exe 1888 oxwuygtppbpfn.exe 1888 oxwuygtppbpfn.exe 1364 vkvmunph.exe 1364 vkvmunph.exe 1364 vkvmunph.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2360 WINWORD.EXE 2360 WINWORD.EXE 2360 WINWORD.EXE 2360 WINWORD.EXE 2360 WINWORD.EXE 2360 WINWORD.EXE 2360 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2324 wrote to memory of 1108 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 83 PID 2324 wrote to memory of 1108 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 83 PID 2324 wrote to memory of 1108 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 83 PID 2324 wrote to memory of 1940 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 84 PID 2324 wrote to memory of 1940 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 84 PID 2324 wrote to memory of 1940 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 84 PID 2324 wrote to memory of 1148 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 85 PID 2324 wrote to memory of 1148 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 85 PID 2324 wrote to memory of 1148 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 85 PID 2324 wrote to memory of 1888 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 86 PID 2324 wrote to memory of 1888 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 86 PID 2324 wrote to memory of 1888 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 86 PID 2324 wrote to memory of 2360 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 87 PID 2324 wrote to memory of 2360 2324 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 87 PID 1108 wrote to memory of 1364 1108 fppgsclmtv.exe 89 PID 1108 wrote to memory of 1364 1108 fppgsclmtv.exe 89 PID 1108 wrote to memory of 1364 1108 fppgsclmtv.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\fppgsclmtv.exefppgsclmtv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\vkvmunph.exeC:\Windows\system32\vkvmunph.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1364
-
-
-
C:\Windows\SysWOW64\mhtxuodcxgevmxj.exemhtxuodcxgevmxj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1940
-
-
C:\Windows\SysWOW64\vkvmunph.exevkvmunph.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1148
-
-
C:\Windows\SysWOW64\oxwuygtppbpfn.exeoxwuygtppbpfn.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1888
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2360
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
239B
MD5c0458d84c21e6a33d9dd19954db113e2
SHA1ed281badb74c7dc0d4cc42e7bdfb1442c2b7fca2
SHA2569f644dd6e8fd46e1607d736deaae1ef28b2b043d7c1fcf97fda64f4044b047cb
SHA512de0ad401e167d9220d2fd8d08f5f14ca22e68b0e6260ab7b5fdf17e8db8aa442ed9f5326f84f65e4ae93650c182f6e09639d83e8a3798fdb2389ac0422a82f34
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5edabad0d610cf15943b39b3e455f9f7d
SHA15917a0e4f8820868e9df48b7b1632891c16b0f58
SHA25651164b96ee480abb1355e952c96f5f7d99ec42daae40ef255cc49805a56b0df3
SHA5124e7fbc5d074426f27036a489d8ab94a90cf6bc7cf4d2faef6d285d5b578d6e884aa42b7dcea85a4ef08d8f61fe79a08096e5da731dc9f773c8397b8714c3683e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e2fe05da99b765a1f589ad973fb80afa
SHA1b403f3a19c28e7f65ced67ec0afe5d1edebfa891
SHA256edf6344525c4a8761da1e64531d22ed7fee726ff47bd6085bab030b0158dfd68
SHA5124a3a63a66d9a2743389aa8341c8f3a8f7b2ef6af896fe88b8b0fc21ad4eff66bf6bfd2fb63f0c895bf935c2c411bbe90c107ef5e7137f8ae1b21ccc3e683b6ff
-
Filesize
512KB
MD599223e27a38fbc21b09508dd5a3b5db3
SHA1a250b9d4c3dd2fec73621a79ed88d174c0bd05e0
SHA256db036ce5012d0996415abbbf03b6ffa8e0666e447acd4e9949a612fdaf8874ea
SHA512a0eab2323b338b6d3db5db8714e22e7b19835ee8cfb01a848bbe1d663352981826778ffa19efdeb160e0c118149ac9494b82739f76db15cb890b548fb5d583ae
-
Filesize
512KB
MD5a66f25f800d61507fca3993093eb7a27
SHA1ce799abdd8383f177adc9d0906c9c9936e6cc705
SHA2565e983413518c4996abcfd33d7a0b40f4e25001df8c930f31ed1114a36eb6f6a7
SHA512a8cc88649734e52abe32613e85294a118ee44bc92879c4bb2bd18f46aaad2c81b555caeac80138809b7e36466e13d7b4d35eceb18deeb2dc5ecb406c0ee1a172
-
Filesize
512KB
MD5c44ffbb5c4b7fb8e483a9b07f7d2fdc5
SHA1a33a8f2315c1ac0574e0a641751e1b376a82b918
SHA256029444a7c57434c0b78a8e26b6d72a2407849e6a3b513cd34f27802e36f4aa56
SHA512a8c7e49674481eafc6570782e087776f7db71468b405af7fd2e51a164e9ce68d51769cbac16fa34989b1a4446a31ae85fa57371aa454f523d9d7bc07dc28f59a
-
Filesize
512KB
MD55ceaba630620b9a32d507eb55e13ce8a
SHA13427aa8cc65734a71ffb58abbb081a80a618415a
SHA256df4896dd174f6db2eb23b49facc47b160f0413acd302bf29fd2ea07042d897f9
SHA5127fae48b0022287f84676ec53629e44910599f5fdc662f5dfd6997caf8aec943d0747ca23b31bca551d2edc169858dfff4f884faf8360436f802e0b3680ebef38
-
Filesize
512KB
MD5816687bd88cfd47e0e4844e375bfaa36
SHA1180ac600fecc83ce5ca41b5c83e824527aea14c8
SHA25681bc3551a36b1138e5acef324ee4a810779c25147b5d3486437e04239fb25c97
SHA512f31665e13dce20bc94998b78885a31a4c3dada6e75f23a2f1348afba31324ce4f71022e153eebd6686639bdfffec1ae94c29069243d037b78d2b5623de7cf7d8
-
Filesize
512KB
MD558b27c5472947c293cce2b6543e01975
SHA1c7236e9b23e990f0480a3604fccbb25fef9e4f93
SHA2564fb98f973ebcd71e9e30e3369d00c0725c90a7ed098662b0009dbe0d22b2a0ff
SHA5125f1e82a6ec60483a407c829cb99ef1ffd9e1c17a8351d05ce218864ed3a40dedfea638da0eb1f6329c89e325a4abbc8d1f0200c662382bd1944b02bb522f48d0
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5c6b0d0743c5d6c91e0faa4515168975f
SHA138266b8750ffa92dcb746d33c7c5507a8eda263d
SHA2563e0c727876298e76bbf061177d17e23927139cce014ed24aeeb598f73ab00ccd
SHA512b0346dfd9f24c2d4879bed1d1cd75907ba1ab70c849e58abacbd91ff385cbd0713aecd1bb116db32a072d65f7aa16120a9f9a8dcb9bbb2c6060a438e677d7e44
-
Filesize
512KB
MD54e292bcd42777eefa6f6917a24f97ed4
SHA1474332ace280ff480a439232441dcf3c8d3094a9
SHA256a1d67255a5e9cdda21007672f0ad9ef24999f826b7d9659f24e8133f2341599f
SHA5126da154338e9f74bb01864283da630cc707243e736335f51ab8e7153c12da62f340db56c5d71ca7961a093bbef238a168641c1f14dd428d5e6ad23c21cfd7f703
-
Filesize
512KB
MD556b9ccd7d61c0a427d4393e31d1e7063
SHA139f0ffe3d4912f878c7d1ab0faa0d0bbf4f4a2b5
SHA2568619ed1248de7d7c73efc9de2de16b03ae1ca84437a13e47faed1d83d155a315
SHA5126b8e97ff0a1d915b2630afd91ddda6dea216489da565ebc40a40826e5bce636b6d3f2c7b8afc11ef6f5860402772c2860f33a030ccc1203949580d5358604bdf
-
Filesize
512KB
MD5f21db8b0f81013d1a8e7821edaecb6d0
SHA1bb0312bd9b5525193593069af18f79568ebd5f0a
SHA256159a5f937a265d58f3f1beabc556077548982f65cb766201b1571a30e7b4b1e8
SHA5120a2cc90d103fa78d5254868d26e923afc9d04a2743f2176ddd48d487e7a3c2a2c8f53ab8c12d6c0b5cfdf930de4fe9845482034693d5bdff91e308c2009f867b