Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/07/2024, 16:02
Static task
static1
Behavioral task
behavioral1
Sample
7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
-
Size
484KB
-
MD5
7046c23f48f52b97038e69e782044cbd
-
SHA1
e3e20833e358a5db26d3393f29e3eb8665aea9aa
-
SHA256
5fad4bfd723fec95c1bf2427014bfff853d92aab283e8411af08a598a2e86590
-
SHA512
2694e9b94f99d0e350427fd89408aef3ebd4c4ff656669d7599aca491aaf6547f14da11593d4c6b4bfe9bf22a3ec29abb484891356f169e20cbc6a5aff0ac4ba
-
SSDEEP
12288:5P9GBWQch+L/ZgHP+v7xK0DmFwUfIp7JVyvWt1aBnSFAPHzeO:5PoBHch+uudKNffiv1aVSaPTeO
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" V6oUpCF0mC.exe Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" naoeyeq.exe -
Deletes itself 1 IoCs
pid Process 1632 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2756 V6oUpCF0mC.exe 2684 naoeyeq.exe 1208 ayhost.exe 1068 ayhost.exe 2908 byhost.exe 2324 byhost.exe 588 cyhost.exe 336 csrss.exe 2128 cyhost.exe 3000 cyhost.exe 2712 dyhost.exe -
Loads dropped DLL 14 IoCs
pid Process 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 2756 V6oUpCF0mC.exe 2756 V6oUpCF0mC.exe 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 588 cyhost.exe 2360 DllHost.exe 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2320-9-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2320-6-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2320-15-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2320-14-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2320-12-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2320-4-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2128-134-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral1/memory/2320-142-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/3000-206-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral1/memory/588-207-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral1/memory/2320-338-0x0000000000400000-0x00000000004BE000-memory.dmp upx -
Adds Run key to start application 2 TTPs 54 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Program Files (x86)\\Internet Explorer\\lvvm.exe" cyhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /j" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /l" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /f" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /S" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /V" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /J" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /B" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /a" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /d" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /z" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /P" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /G" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /Q" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /c" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /N" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /n" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /C" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /r" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /L" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /k" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /b" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /q" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /H" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /o" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /T" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /v" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /i" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /g" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /y" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /Z" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /E" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /M" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /F" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /U" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /A" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /I" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /x" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /D" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /p" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /W" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /O" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /Y" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /K" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /X" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /R" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /m" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /t" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /w" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /i" V6oUpCF0mC.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /h" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /u" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /e" naoeyeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /s" naoeyeq.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2956 tasklist.exe 2732 tasklist.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2132 set thread context of 2320 2132 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 30 PID 1208 set thread context of 1068 1208 ayhost.exe 38 PID 2908 set thread context of 2324 2908 byhost.exe 40 PID 2324 set thread context of 2940 2324 byhost.exe 41 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\lvvm.exe cyhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language byhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dyhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cyhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cyhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language naoeyeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ayhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cyhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language V6oUpCF0mC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language byhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8b7b1c4f-2775-6e50-2822-c9765af149fd}\u = "860049491" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8b7b1c4f-2775-6e50-2822-c9765af149fd}\cid = "1820034458396508756" explorer.exe Key created \registry\machine\Software\Classes\Interface\{8b7b1c4f-2775-6e50-2822-c9765af149fd} explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2756 V6oUpCF0mC.exe 2756 V6oUpCF0mC.exe 1068 ayhost.exe 2684 naoeyeq.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2684 naoeyeq.exe 2684 naoeyeq.exe 1068 ayhost.exe 2684 naoeyeq.exe 2684 naoeyeq.exe 2684 naoeyeq.exe 1068 ayhost.exe 2684 naoeyeq.exe 1068 ayhost.exe 1068 ayhost.exe 2684 naoeyeq.exe 2684 naoeyeq.exe 2684 naoeyeq.exe 1068 ayhost.exe 2684 naoeyeq.exe 1068 ayhost.exe 2684 naoeyeq.exe 1068 ayhost.exe 2684 naoeyeq.exe 2684 naoeyeq.exe 1068 ayhost.exe 1068 ayhost.exe 2684 naoeyeq.exe 1068 ayhost.exe 2684 naoeyeq.exe 1068 ayhost.exe 1068 ayhost.exe 2684 naoeyeq.exe 1068 ayhost.exe 2684 naoeyeq.exe 1068 ayhost.exe 2684 naoeyeq.exe 1068 ayhost.exe 2684 naoeyeq.exe 1068 ayhost.exe 2684 naoeyeq.exe 1068 ayhost.exe 1068 ayhost.exe 2684 naoeyeq.exe 1068 ayhost.exe 2684 naoeyeq.exe 1068 ayhost.exe 2684 naoeyeq.exe 2684 naoeyeq.exe 1068 ayhost.exe 1068 ayhost.exe 1068 ayhost.exe 2684 naoeyeq.exe 1068 ayhost.exe 1068 ayhost.exe 1068 ayhost.exe 2684 naoeyeq.exe 2684 naoeyeq.exe 2684 naoeyeq.exe 1068 ayhost.exe 1068 ayhost.exe 1068 ayhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2956 tasklist.exe Token: SeDebugPrivilege 2940 explorer.exe Token: SeDebugPrivilege 2732 tasklist.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2132 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 2756 V6oUpCF0mC.exe 2684 naoeyeq.exe 1208 ayhost.exe 2908 byhost.exe 2712 dyhost.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 336 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2320 2132 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 30 PID 2132 wrote to memory of 2320 2132 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 30 PID 2132 wrote to memory of 2320 2132 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 30 PID 2132 wrote to memory of 2320 2132 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 30 PID 2132 wrote to memory of 2320 2132 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 30 PID 2132 wrote to memory of 2320 2132 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 30 PID 2132 wrote to memory of 2320 2132 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 30 PID 2132 wrote to memory of 2320 2132 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 30 PID 2320 wrote to memory of 2756 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 31 PID 2320 wrote to memory of 2756 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 31 PID 2320 wrote to memory of 2756 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 31 PID 2320 wrote to memory of 2756 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 31 PID 2756 wrote to memory of 2684 2756 V6oUpCF0mC.exe 32 PID 2756 wrote to memory of 2684 2756 V6oUpCF0mC.exe 32 PID 2756 wrote to memory of 2684 2756 V6oUpCF0mC.exe 32 PID 2756 wrote to memory of 2684 2756 V6oUpCF0mC.exe 32 PID 2756 wrote to memory of 2552 2756 V6oUpCF0mC.exe 33 PID 2756 wrote to memory of 2552 2756 V6oUpCF0mC.exe 33 PID 2756 wrote to memory of 2552 2756 V6oUpCF0mC.exe 33 PID 2756 wrote to memory of 2552 2756 V6oUpCF0mC.exe 33 PID 2552 wrote to memory of 2956 2552 cmd.exe 35 PID 2552 wrote to memory of 2956 2552 cmd.exe 35 PID 2552 wrote to memory of 2956 2552 cmd.exe 35 PID 2552 wrote to memory of 2956 2552 cmd.exe 35 PID 2320 wrote to memory of 1208 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 37 PID 2320 wrote to memory of 1208 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 37 PID 2320 wrote to memory of 1208 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 37 PID 2320 wrote to memory of 1208 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 37 PID 1208 wrote to memory of 1068 1208 ayhost.exe 38 PID 1208 wrote to memory of 1068 1208 ayhost.exe 38 PID 1208 wrote to memory of 1068 1208 ayhost.exe 38 PID 1208 wrote to memory of 1068 1208 ayhost.exe 38 PID 1208 wrote to memory of 1068 1208 ayhost.exe 38 PID 1208 wrote to memory of 1068 1208 ayhost.exe 38 PID 1208 wrote to memory of 1068 1208 ayhost.exe 38 PID 1208 wrote to memory of 1068 1208 ayhost.exe 38 PID 1208 wrote to memory of 1068 1208 ayhost.exe 38 PID 1208 wrote to memory of 1068 1208 ayhost.exe 38 PID 1208 wrote to memory of 1068 1208 ayhost.exe 38 PID 2320 wrote to memory of 2908 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 39 PID 2320 wrote to memory of 2908 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 39 PID 2320 wrote to memory of 2908 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 39 PID 2320 wrote to memory of 2908 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 39 PID 2908 wrote to memory of 2324 2908 byhost.exe 40 PID 2908 wrote to memory of 2324 2908 byhost.exe 40 PID 2908 wrote to memory of 2324 2908 byhost.exe 40 PID 2908 wrote to memory of 2324 2908 byhost.exe 40 PID 2908 wrote to memory of 2324 2908 byhost.exe 40 PID 2908 wrote to memory of 2324 2908 byhost.exe 40 PID 2908 wrote to memory of 2324 2908 byhost.exe 40 PID 2908 wrote to memory of 2324 2908 byhost.exe 40 PID 2908 wrote to memory of 2324 2908 byhost.exe 40 PID 2908 wrote to memory of 2324 2908 byhost.exe 40 PID 2324 wrote to memory of 2940 2324 byhost.exe 41 PID 2324 wrote to memory of 2940 2324 byhost.exe 41 PID 2324 wrote to memory of 2940 2324 byhost.exe 41 PID 2324 wrote to memory of 2940 2324 byhost.exe 41 PID 2324 wrote to memory of 2940 2324 byhost.exe 41 PID 2320 wrote to memory of 588 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 42 PID 2320 wrote to memory of 588 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 42 PID 2320 wrote to memory of 588 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 42 PID 2320 wrote to memory of 588 2320 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe 42 PID 2940 wrote to memory of 336 2940 explorer.exe 2 PID 588 wrote to memory of 2128 588 cyhost.exe 43
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
PID:336
-
C:\Users\Admin\AppData\Local\Temp\7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\V6oUpCF0mC.exeC:\Users\Admin\V6oUpCF0mC.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\naoeyeq.exe"C:\Users\Admin\naoeyeq.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2684
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del V6oUpCF0mC.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
-
-
C:\Users\Admin\ayhost.exeC:\Users\Admin\ayhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\ayhost.exe"C:\Users\Admin\ayhost.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1068
-
-
-
C:\Users\Admin\byhost.exeC:\Users\Admin\byhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\byhost.exe"C:\Users\Admin\byhost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\explorer.exe0000003C*5⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940
-
-
-
-
C:\Users\Admin\cyhost.exeC:\Users\Admin\cyhost.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Users\Admin\cyhost.exeC:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Roaming\conhost.exe%C:\Users\Admin\AppData\Roaming4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2128
-
-
C:\Users\Admin\cyhost.exeC:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3000
-
-
-
C:\Users\Admin\dyhost.exeC:\Users\Admin\dyhost.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2712
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Loads dropped DLL
PID:2360
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600B
MD5a3eec1763e0048a9136cf571dc18f086
SHA1d8997a780e7764daaa84ae443045ffa25e6f5d09
SHA256f51d81ff252c5c1d78fe3ca86a80f29a4dfe2a275294a3b45715836c9620be29
SHA512198049f3920465f37c24aa80cf7819651d6963c65fe632a5852ba72cf87c3361276e3a767158b3e54f16969b172bd89433594848ae382f0cea3652e0be34b23d
-
Filesize
996B
MD58c3ff6906b9cfdaf86629ba47fea6a14
SHA150a0d0e1c18ed636c23900cf7d41b0ae5a67e313
SHA2567b5366f578f4228ab9f42d83eb06b4659ddbd15e9e722ef5b9ebedd1e8e77517
SHA512d3d1eef96a9b04095ce11945b3bd8a7b81c7bf0698d13f908f01aae610118527792e8b8d04e50e86308853d4fd7a57770656c56d7f220f50df0f76328bfea2e6
-
Filesize
1KB
MD5e48dd849acf1d7d809b3efd92d4340bd
SHA1036210d5ed2a988a64a884f1fadd838a2c737333
SHA256241ca57ec1659a6337d8af7f97bd76a86387a0b5542e4ddb5bb4f18def57fb52
SHA5120002d3ba2e1cddf2b1f7366b2cf1caebd3824acd616a70a3ce80b08ce9bdf4ee9f925135bbbd05b55d2452e29be95162f69ac73355fcfdeef38dee9ac47960a5
-
Filesize
53KB
MD568689b2e7472e2cfb3f39da8a59505d9
SHA15be15784ab1193dc13ac24ec1efcabded5fe2df4
SHA256f304eb2cf6479a4fb36fef81c6df4d0225e251002e8f06f26ee196210bf3d168
SHA512269999061cd54b23b92d385689682e687ae9030bc5d26d79dd5e99f72fa4b4eef41f5a7b555325bd558771db92e2feb8a67fb40c87223be9e23ccb498b3bbc88
-
Filesize
332KB
MD5b96dc0230580570446ab648e20a7e3b3
SHA127483df87ef7093d51062fb2d2fc9944f94c23fb
SHA2562c65220c1c3ec6cb3282759e1d583b598ad43bf09484239325ae06b961bf0af0
SHA512b8dd8743eb45f9dcc0d74b5cf450ef2950482e5c33dcdb5ab9494ad2e396d7ea5ebd80d477fca52a25a46cede6e2c31eb2647612090fda72d7e61e49913c042f
-
Filesize
68KB
MD52c7c2d4e9c03a1818621def0e1281a81
SHA1c92b29a7f6e9998c7a86b9b57cff15f28647a127
SHA2569fb6cf502b6a872ed2e58666672db9fdc0eb57e6ff5a5677b6dbc8de42193f3e
SHA512431cadf9b1d4de1dd0c5efebd5bae2af2ac0f6c98a2d71a5f7bc72e2421ecf77d67616d805bb643680192de6c8921e894a48a538276492567524c4267a4e4a66
-
Filesize
136KB
MD51d0f81b6e185ec95e716d2a0b2ba69a1
SHA109399ffa69ae8bfd9794104bc4b7b4f481980e3a
SHA256abe89315434ce50001a90c9bdd662a0c42fa90d95acdf5baed5823d760e4f878
SHA5126c4ecc1346bfc9952d7a1a2cb30ed5076bec24db099bb3fe20a248b19f56c075ff592d03100a1a3660ad5f47dfaff6a64b6b2bebe1bcbc7ce747f968a4c7e6b1
-
Filesize
168KB
MD5234bf3937f8fe09351acc53c059b40d2
SHA1256f162b65eacc7a1fee35722fbfdbd55bba93c7
SHA25686c568452305c3943eb7d1530cef65c75f6fac39d178082783db8b12fc8eef2b
SHA5126c768729abebd0b9bde9712ee827262c433ac928bb638b9176ef7f4085c2d2b4fdfa3cacffdb7da477d23a1e0ce32e63cba2ab9ace1f45dfcc8109b2c68812b7
-
Filesize
24KB
MD59814ec05c8857737f599ba75b1610fb1
SHA1aa9d9b016c2feda03cf6ad1bbca332070eb9b295
SHA256a68f44fa166ade605dfd2e5827a8ca3fa21141eda423c096d1f41d9bf172e597
SHA512c9daf5d8015ab4d5e0c333b986e04a917a596aef6d61baf43f53e5da346e3e665cd16eb5da35726713689dca991a03fbfa137b7f3f879c77779a477a89a0268d
-
Filesize
332KB
MD5a2e4bc084dbbd56769e8297b59dc2932
SHA182036d17e169a920b9f048661718f16739c3b267
SHA256f962490a4894b49f016339c0f773073bb6030897772ddb7ac8d1408737d26f87
SHA5121e557af983e41b7905ca09d8b087d569765ee23e923554aed0d44b9560252bfa83290f4350612a9a59af5e8683081e5e791d0c47437f0c2a839f07fe78af02af
-
Filesize
4KB
MD5ff7d5ec20bf73c02317e7a740fffe018
SHA1365ac8cfe5b939854cc1c341caf051bcc45f9372
SHA2561e230847d7034f5ab3bf010f569315e00673859af0574fc9f915636ed905779a
SHA51230854c0d703fd7c6cbc0769d9be4125baa2577ec529d5e48177a434685b66752fd79c50f0321324e23eeb985738f403347748afefae7d8a3bfad388a5b512a44
-
Filesize
5KB
MD53e7a118b119428247edfc5d5ef3761bc
SHA1140e4cb00107678160411f016c4c17611580a209
SHA25697c19f4103a16798202e50a501375d0bf3d7ec1bb654dda230337e85b01b1ec5
SHA512b0e27a4d7aa62f937f275b9f413f75857846ae670bf3aed6e55c1db865485fda89e33dcdffa02ae2ab25f48d5f63f869232f9e6d69f9cdc8a5c93f39de09a925