Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/07/2024, 02:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe
-
Size
26KB
-
MD5
43f4a2878cadd6343b497ff2fb490856
-
SHA1
7909df003d31fe602dcf02427221b6a3fcca2585
-
SHA256
f6040b4047094868e17be9428ea636efb9406f6526e2eb10a3f3917e48c96f6a
-
SHA512
1742a70157a5872346acb2724ae9de324633f92cb7429061735587359ba01c7d3ab95b96fe6b8cd60f6a47192e1793c164769f63bcc8d56e3d5b732e21953a88
-
SSDEEP
768:Chw2aHt0dcYsITFT2jqQKG/d4uH8Czb0OmSM:Ww2UF9IJs5f/d42zbgb
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" tdhleba.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" tdhleba.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tdhleba.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\irsetup.exe tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\irsetup.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastU3.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe" tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe tdhleba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe tdhleba.exe -
Deletes itself 1 IoCs
pid Process 2756 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 3032 tdhleba.exe 2320 tettaje.exe -
Loads dropped DLL 4 IoCs
pid Process 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: tettaje.exe File opened (read-only) \??\x: tettaje.exe File opened (read-only) \??\t: tdhleba.exe File opened (read-only) \??\u: tdhleba.exe File opened (read-only) \??\z: tdhleba.exe File opened (read-only) \??\l: tettaje.exe File opened (read-only) \??\t: tettaje.exe File opened (read-only) \??\u: tettaje.exe File opened (read-only) \??\l: tdhleba.exe File opened (read-only) \??\w: tdhleba.exe File opened (read-only) \??\m: tettaje.exe File opened (read-only) \??\o: tettaje.exe File opened (read-only) \??\s: tettaje.exe File opened (read-only) \??\n: tdhleba.exe File opened (read-only) \??\p: tdhleba.exe File opened (read-only) \??\q: tdhleba.exe File opened (read-only) \??\v: tettaje.exe File opened (read-only) \??\z: tettaje.exe File opened (read-only) \??\g: tdhleba.exe File opened (read-only) \??\i: tettaje.exe File opened (read-only) \??\q: tettaje.exe File opened (read-only) \??\y: tettaje.exe File opened (read-only) \??\h: tdhleba.exe File opened (read-only) \??\k: tdhleba.exe File opened (read-only) \??\x: tdhleba.exe File opened (read-only) \??\j: tettaje.exe File opened (read-only) \??\r: tettaje.exe File opened (read-only) \??\i: tdhleba.exe File opened (read-only) \??\o: tdhleba.exe File opened (read-only) \??\e: tdhleba.exe File opened (read-only) \??\y: tdhleba.exe File opened (read-only) \??\g: tettaje.exe File opened (read-only) \??\k: tettaje.exe File opened (read-only) \??\p: tettaje.exe File opened (read-only) \??\e: tettaje.exe File opened (read-only) \??\h: tettaje.exe File opened (read-only) \??\n: tettaje.exe File opened (read-only) \??\j: tdhleba.exe File opened (read-only) \??\m: tdhleba.exe File opened (read-only) \??\r: tdhleba.exe File opened (read-only) \??\s: tdhleba.exe File opened (read-only) \??\v: tdhleba.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\c:\autorun.inf tdhleba.exe File created \??\c:\autorun.inf tdhleba.exe File opened for modification \??\f:\autorun.inf tdhleba.exe File created \??\f:\autorun.inf tdhleba.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\nkedjdo.inf tettaje.exe File created C:\Program Files\3.hiv tettaje.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\tettaje.exe 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\tettaje.exe 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe File created C:\Program Files\1.hiv tdhleba.exe File created C:\Program Files\2.hiv tdhleba.exe File opened for modification C:\Program Files\dld.dat tdhleba.exe File opened for modification C:\Program Files\meex.exe tettaje.exe File opened for modification C:\Program Files\Common Files\System\nkedjdo.inf tdhleba.exe File created C:\Program Files\4.hiv tettaje.exe File opened for modification C:\Program Files\Common Files\System\tdhleba.exe tdhleba.exe File opened for modification C:\Program Files\Common Files\System\tdhleba.exe tettaje.exe File created C:\Program Files\meex.exe tettaje.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\tettaje.exe tdhleba.exe File created C:\Program Files\Common Files\System\nkedjdo.inf tdhleba.exe File opened for modification C:\Program Files\Common Files\System\tdhleba.exe 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe File created C:\Program Files\Common Files\System\tdhleba.exe 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\System tdhleba.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared tdhleba.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\tettaje.exe tettaje.exe File created C:\Program Files\Common Files\Microsoft Shared\nkedjdo.inf tettaje.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3032 tdhleba.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe 2320 tettaje.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 3032 tdhleba.exe Token: SeRestorePrivilege 3032 tdhleba.exe Token: SeBackupPrivilege 3032 tdhleba.exe Token: SeRestorePrivilege 3032 tdhleba.exe Token: SeBackupPrivilege 2320 tettaje.exe Token: SeRestorePrivilege 2320 tettaje.exe Token: SeBackupPrivilege 2320 tettaje.exe Token: SeRestorePrivilege 2320 tettaje.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe 3032 tdhleba.exe 2320 tettaje.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2544 wrote to memory of 3032 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 30 PID 2544 wrote to memory of 3032 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 30 PID 2544 wrote to memory of 3032 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 30 PID 2544 wrote to memory of 3032 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 30 PID 2544 wrote to memory of 2320 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 31 PID 2544 wrote to memory of 2320 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 31 PID 2544 wrote to memory of 2320 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 31 PID 2544 wrote to memory of 2320 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 31 PID 2544 wrote to memory of 2812 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 32 PID 2544 wrote to memory of 2812 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 32 PID 2544 wrote to memory of 2812 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 32 PID 2544 wrote to memory of 2812 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 32 PID 2544 wrote to memory of 2828 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 33 PID 2544 wrote to memory of 2828 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 33 PID 2544 wrote to memory of 2828 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 33 PID 2544 wrote to memory of 2828 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 33 PID 2544 wrote to memory of 2924 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 34 PID 2544 wrote to memory of 2924 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 34 PID 2544 wrote to memory of 2924 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 34 PID 2544 wrote to memory of 2924 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 34 PID 2544 wrote to memory of 2808 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 35 PID 2544 wrote to memory of 2808 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 35 PID 2544 wrote to memory of 2808 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 35 PID 2544 wrote to memory of 2808 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 35 PID 2544 wrote to memory of 2772 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 36 PID 2544 wrote to memory of 2772 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 36 PID 2544 wrote to memory of 2772 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 36 PID 2544 wrote to memory of 2772 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 36 PID 2544 wrote to memory of 2368 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 37 PID 2544 wrote to memory of 2368 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 37 PID 2544 wrote to memory of 2368 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 37 PID 2544 wrote to memory of 2368 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 37 PID 2544 wrote to memory of 2756 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 38 PID 2544 wrote to memory of 2756 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 38 PID 2544 wrote to memory of 2756 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 38 PID 2544 wrote to memory of 2756 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 38 PID 2544 wrote to memory of 3040 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 39 PID 2544 wrote to memory of 3040 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 39 PID 2544 wrote to memory of 3040 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 39 PID 2544 wrote to memory of 3040 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 39 PID 2544 wrote to memory of 2624 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 40 PID 2544 wrote to memory of 2624 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 40 PID 2544 wrote to memory of 2624 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 40 PID 2544 wrote to memory of 2624 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 40 PID 2544 wrote to memory of 2264 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 41 PID 2544 wrote to memory of 2264 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 41 PID 2544 wrote to memory of 2264 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 41 PID 2544 wrote to memory of 2264 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 41 PID 3032 wrote to memory of 2776 3032 tdhleba.exe 43 PID 3032 wrote to memory of 2776 3032 tdhleba.exe 43 PID 3032 wrote to memory of 2776 3032 tdhleba.exe 43 PID 3032 wrote to memory of 2776 3032 tdhleba.exe 43 PID 2320 wrote to memory of 2652 2320 tettaje.exe 44 PID 2320 wrote to memory of 2652 2320 tettaje.exe 44 PID 2320 wrote to memory of 2652 2320 tettaje.exe 44 PID 2320 wrote to memory of 2652 2320 tettaje.exe 44 PID 2544 wrote to memory of 2732 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 42 PID 2544 wrote to memory of 2732 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 42 PID 2544 wrote to memory of 2732 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 42 PID 2544 wrote to memory of 2732 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 42 PID 2544 wrote to memory of 1804 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 50 PID 2544 wrote to memory of 1804 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 50 PID 2544 wrote to memory of 1804 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 50 PID 2544 wrote to memory of 1804 2544 43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe 50 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "145" tdhleba.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Program Files\Common Files\System\tdhleba.exe"C:\Program Files\Common Files\System\tdhleba.exe"2⤵
- Modifies security service
- Modifies visiblity of hidden/system files in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3032 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y| cacls C:\Program Files\dld.dat /t /g everyone:F3⤵PID:2776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:2976
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Program Files\dld.dat /t /g everyone:F4⤵PID:1480
-
-
-
-
C:\Program Files\Common Files\Microsoft Shared\tettaje.exe"C:\Program Files\Common Files\Microsoft Shared\tettaje.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y| cacls C:\Program Files\meex.exe /t /g everyone:F3⤵PID:2652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1728
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Program Files\meex.exe /t /g everyone:F4⤵PID:536
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:2812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:2828
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:2924
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:2808
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:2772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:2368
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵
- Deletes itself
PID:2756
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:3040
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:2624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:2264
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:2732
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:1804
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:2928
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:2664
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:2936
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:792
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:2788
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:2620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:2628
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:2636
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:2660
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:2680
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:2072
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"2⤵PID:2328
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD543f4a2878cadd6343b497ff2fb490856
SHA17909df003d31fe602dcf02427221b6a3fcca2585
SHA256f6040b4047094868e17be9428ea636efb9406f6526e2eb10a3f3917e48c96f6a
SHA5121742a70157a5872346acb2724ae9de324633f92cb7429061735587359ba01c7d3ab95b96fe6b8cd60f6a47192e1793c164769f63bcc8d56e3d5b732e21953a88
-
Filesize
169B
MD5a54b00618165462a8efb329fed687faa
SHA111aeca130e833935fe7efdb8403433eb271cc4f8
SHA256ee4862d6ebf8e622959c213db4513d043bb8fede1e376f908ae09f7bcf75e244
SHA51272de05b116bd3c2d00393f1076942df1e328c257aceffd16aeda09841bf4e2f20a8fa0dcf1782512cb4bbe5781056ec8ee67ea95eb204d891013b6f2204271be