Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/07/2024, 19:06
Behavioral task
behavioral1
Sample
70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe
-
Size
255KB
-
MD5
70dac3709ac4bcd5d495cf300812cefb
-
SHA1
661ce55a624c4c6205a78e4060a8bb575bbf60a6
-
SHA256
674627bc518d403e7fef6c0a6922bd93fcc011f44b54e4d739fe0d98de0af16e
-
SHA512
86232f60b1feed396e8a5bf1ea00a4baf8d341ef4a9fb5648aba9af82e36686b7bdf1d9927ab45c87ce6e011fbb0c2ec222f2fd63740ad3b1b80918eb72cc23c
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJR:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIq
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dyaxtnyamw.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dyaxtnyamw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dyaxtnyamw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dyaxtnyamw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dyaxtnyamw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dyaxtnyamw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" dyaxtnyamw.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dyaxtnyamw.exe -
Executes dropped EXE 5 IoCs
pid Process 2800 dyaxtnyamw.exe 2584 wvyojkkn.exe 2428 yjqyqfwkitlxnxm.exe 2744 utxdaawpfqhnv.exe 3016 wvyojkkn.exe -
Loads dropped DLL 5 IoCs
pid Process 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 2800 dyaxtnyamw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2824-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0008000000015d80-5.dat upx behavioral1/files/0x00080000000120f9-17.dat upx behavioral1/memory/2800-25-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0008000000015d91-31.dat upx behavioral1/memory/2824-28-0x0000000003760000-0x0000000003800000-memory.dmp upx behavioral1/memory/2824-20-0x0000000003760000-0x0000000003800000-memory.dmp upx behavioral1/memory/2744-40-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0009000000015f3b-39.dat upx behavioral1/memory/2428-38-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2584-37-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/3016-45-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2824-49-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x000700000001627a-73.dat upx behavioral1/files/0x0032000000015d0d-67.dat upx behavioral1/memory/2800-79-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-80-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2584-81-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/3016-83-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2744-82-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2584-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2800-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2584-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2744-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/3016-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2744-91-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/3016-92-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2584-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2800-96-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2744-98-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-97-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2800-99-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2744-101-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-100-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2800-102-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2744-104-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-103-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2800-106-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-107-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2744-108-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2800-109-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2744-111-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-110-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2800-112-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2744-114-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-113-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2800-115-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2744-117-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-116-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2800-136-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-137-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2744-138-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2800-139-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2744-141-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-140-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2800-142-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2744-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2800-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2744-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2800-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" dyaxtnyamw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dyaxtnyamw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" dyaxtnyamw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dyaxtnyamw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dyaxtnyamw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dyaxtnyamw.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqrfokbx = "dyaxtnyamw.exe" yjqyqfwkitlxnxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xpthhkel = "yjqyqfwkitlxnxm.exe" yjqyqfwkitlxnxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "utxdaawpfqhnv.exe" yjqyqfwkitlxnxm.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: wvyojkkn.exe File opened (read-only) \??\x: wvyojkkn.exe File opened (read-only) \??\z: wvyojkkn.exe File opened (read-only) \??\i: dyaxtnyamw.exe File opened (read-only) \??\l: dyaxtnyamw.exe File opened (read-only) \??\x: dyaxtnyamw.exe File opened (read-only) \??\h: wvyojkkn.exe File opened (read-only) \??\j: wvyojkkn.exe File opened (read-only) \??\t: wvyojkkn.exe File opened (read-only) \??\n: wvyojkkn.exe File opened (read-only) \??\h: dyaxtnyamw.exe File opened (read-only) \??\o: dyaxtnyamw.exe File opened (read-only) \??\j: wvyojkkn.exe File opened (read-only) \??\q: wvyojkkn.exe File opened (read-only) \??\v: dyaxtnyamw.exe File opened (read-only) \??\o: wvyojkkn.exe File opened (read-only) \??\y: wvyojkkn.exe File opened (read-only) \??\e: wvyojkkn.exe File opened (read-only) \??\h: wvyojkkn.exe File opened (read-only) \??\p: dyaxtnyamw.exe File opened (read-only) \??\s: dyaxtnyamw.exe File opened (read-only) \??\b: dyaxtnyamw.exe File opened (read-only) \??\x: wvyojkkn.exe File opened (read-only) \??\v: wvyojkkn.exe File opened (read-only) \??\k: wvyojkkn.exe File opened (read-only) \??\m: wvyojkkn.exe File opened (read-only) \??\l: wvyojkkn.exe File opened (read-only) \??\s: wvyojkkn.exe File opened (read-only) \??\y: dyaxtnyamw.exe File opened (read-only) \??\z: dyaxtnyamw.exe File opened (read-only) \??\i: wvyojkkn.exe File opened (read-only) \??\j: dyaxtnyamw.exe File opened (read-only) \??\g: wvyojkkn.exe File opened (read-only) \??\e: wvyojkkn.exe File opened (read-only) \??\n: wvyojkkn.exe File opened (read-only) \??\a: wvyojkkn.exe File opened (read-only) \??\g: wvyojkkn.exe File opened (read-only) \??\t: wvyojkkn.exe File opened (read-only) \??\u: wvyojkkn.exe File opened (read-only) \??\r: dyaxtnyamw.exe File opened (read-only) \??\b: wvyojkkn.exe File opened (read-only) \??\p: wvyojkkn.exe File opened (read-only) \??\w: wvyojkkn.exe File opened (read-only) \??\v: wvyojkkn.exe File opened (read-only) \??\w: wvyojkkn.exe File opened (read-only) \??\t: dyaxtnyamw.exe File opened (read-only) \??\u: dyaxtnyamw.exe File opened (read-only) \??\l: wvyojkkn.exe File opened (read-only) \??\a: dyaxtnyamw.exe File opened (read-only) \??\w: dyaxtnyamw.exe File opened (read-only) \??\b: wvyojkkn.exe File opened (read-only) \??\q: wvyojkkn.exe File opened (read-only) \??\u: wvyojkkn.exe File opened (read-only) \??\i: wvyojkkn.exe File opened (read-only) \??\r: wvyojkkn.exe File opened (read-only) \??\y: wvyojkkn.exe File opened (read-only) \??\e: dyaxtnyamw.exe File opened (read-only) \??\q: dyaxtnyamw.exe File opened (read-only) \??\m: dyaxtnyamw.exe File opened (read-only) \??\m: wvyojkkn.exe File opened (read-only) \??\n: dyaxtnyamw.exe File opened (read-only) \??\a: wvyojkkn.exe File opened (read-only) \??\r: wvyojkkn.exe File opened (read-only) \??\z: wvyojkkn.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" dyaxtnyamw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" dyaxtnyamw.exe -
AutoIT Executable 58 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2824-0-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2800-25-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2824-20-0x0000000003760000-0x0000000003800000-memory.dmp autoit_exe behavioral1/memory/2428-38-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2584-37-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/3016-45-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2824-49-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2800-79-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-80-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2584-81-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/3016-83-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2744-82-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2584-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2800-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2584-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2744-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/3016-90-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2744-91-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/3016-92-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2584-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2800-96-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2744-98-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-97-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2800-99-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2744-101-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-100-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2800-102-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2744-104-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-103-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2800-106-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-107-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2744-108-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2800-109-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2744-111-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-110-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2800-112-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2744-114-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-113-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2800-115-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2744-117-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-116-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2800-136-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-137-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2744-138-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2800-139-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2744-141-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2800-142-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2744-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2800-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2744-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2800-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2744-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\wvyojkkn.exe 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe File created C:\Windows\SysWOW64\utxdaawpfqhnv.exe 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll dyaxtnyamw.exe File opened for modification C:\Windows\SysWOW64\yjqyqfwkitlxnxm.exe 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dyaxtnyamw.exe 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe File created C:\Windows\SysWOW64\yjqyqfwkitlxnxm.exe 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wvyojkkn.exe 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\utxdaawpfqhnv.exe 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe File created C:\Windows\SysWOW64\dyaxtnyamw.exe 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal wvyojkkn.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe wvyojkkn.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe wvyojkkn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal wvyojkkn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal wvyojkkn.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe wvyojkkn.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe wvyojkkn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe wvyojkkn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe wvyojkkn.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe wvyojkkn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal wvyojkkn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe wvyojkkn.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe wvyojkkn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe wvyojkkn.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language utxdaawpfqhnv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvyojkkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dyaxtnyamw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvyojkkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yjqyqfwkitlxnxm.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472D089C5782576D4176A5772F2CDF7D8365DE" 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" dyaxtnyamw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" dyaxtnyamw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" dyaxtnyamw.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF4FC834F28856E9140D75F7E92BC94E1345846674F6330D6E9" 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat dyaxtnyamw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh dyaxtnyamw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" dyaxtnyamw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs dyaxtnyamw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" dyaxtnyamw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCFABEFE17F290840E3B47819C39E1B0FD03F043640248E1BF45E808A7" 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" dyaxtnyamw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc dyaxtnyamw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf dyaxtnyamw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B02C44E739ED53C4BAA0329ED7C8" 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FC68B4FF6621DED27FD0A58A7B9062" 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C70E14E6DAB3B8CC7C94EDE234BE" 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg dyaxtnyamw.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 692 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 2800 dyaxtnyamw.exe 2800 dyaxtnyamw.exe 2800 dyaxtnyamw.exe 2800 dyaxtnyamw.exe 2800 dyaxtnyamw.exe 2584 wvyojkkn.exe 2584 wvyojkkn.exe 2584 wvyojkkn.exe 2584 wvyojkkn.exe 3016 wvyojkkn.exe 3016 wvyojkkn.exe 3016 wvyojkkn.exe 3016 wvyojkkn.exe 2428 yjqyqfwkitlxnxm.exe 2428 yjqyqfwkitlxnxm.exe 2428 yjqyqfwkitlxnxm.exe 2428 yjqyqfwkitlxnxm.exe 2428 yjqyqfwkitlxnxm.exe 2744 utxdaawpfqhnv.exe 2744 utxdaawpfqhnv.exe 2744 utxdaawpfqhnv.exe 2744 utxdaawpfqhnv.exe 2744 utxdaawpfqhnv.exe 2744 utxdaawpfqhnv.exe 2428 yjqyqfwkitlxnxm.exe 2744 utxdaawpfqhnv.exe 2744 utxdaawpfqhnv.exe 2428 yjqyqfwkitlxnxm.exe 2428 yjqyqfwkitlxnxm.exe 2744 utxdaawpfqhnv.exe 2744 utxdaawpfqhnv.exe 2428 yjqyqfwkitlxnxm.exe 2744 utxdaawpfqhnv.exe 2744 utxdaawpfqhnv.exe 2428 yjqyqfwkitlxnxm.exe 2744 utxdaawpfqhnv.exe 2744 utxdaawpfqhnv.exe 2428 yjqyqfwkitlxnxm.exe 2744 utxdaawpfqhnv.exe 2744 utxdaawpfqhnv.exe 2428 yjqyqfwkitlxnxm.exe 2744 utxdaawpfqhnv.exe 2744 utxdaawpfqhnv.exe 2428 yjqyqfwkitlxnxm.exe 2744 utxdaawpfqhnv.exe 2744 utxdaawpfqhnv.exe 2428 yjqyqfwkitlxnxm.exe 2744 utxdaawpfqhnv.exe 2744 utxdaawpfqhnv.exe 2428 yjqyqfwkitlxnxm.exe 2744 utxdaawpfqhnv.exe 2744 utxdaawpfqhnv.exe 2428 yjqyqfwkitlxnxm.exe 2744 utxdaawpfqhnv.exe 2744 utxdaawpfqhnv.exe 2428 yjqyqfwkitlxnxm.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 2800 dyaxtnyamw.exe 2800 dyaxtnyamw.exe 2800 dyaxtnyamw.exe 2584 wvyojkkn.exe 2584 wvyojkkn.exe 2584 wvyojkkn.exe 2744 utxdaawpfqhnv.exe 3016 wvyojkkn.exe 3016 wvyojkkn.exe 2744 utxdaawpfqhnv.exe 3016 wvyojkkn.exe 2744 utxdaawpfqhnv.exe 2428 yjqyqfwkitlxnxm.exe 2428 yjqyqfwkitlxnxm.exe 2428 yjqyqfwkitlxnxm.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 2800 dyaxtnyamw.exe 2800 dyaxtnyamw.exe 2800 dyaxtnyamw.exe 2584 wvyojkkn.exe 2584 wvyojkkn.exe 2584 wvyojkkn.exe 2744 utxdaawpfqhnv.exe 3016 wvyojkkn.exe 3016 wvyojkkn.exe 2744 utxdaawpfqhnv.exe 3016 wvyojkkn.exe 2744 utxdaawpfqhnv.exe 2428 yjqyqfwkitlxnxm.exe 2428 yjqyqfwkitlxnxm.exe 2428 yjqyqfwkitlxnxm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 692 WINWORD.EXE 692 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2824 wrote to memory of 2800 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 31 PID 2824 wrote to memory of 2800 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 31 PID 2824 wrote to memory of 2800 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 31 PID 2824 wrote to memory of 2800 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 31 PID 2824 wrote to memory of 2428 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 32 PID 2824 wrote to memory of 2428 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 32 PID 2824 wrote to memory of 2428 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 32 PID 2824 wrote to memory of 2428 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 32 PID 2824 wrote to memory of 2584 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 33 PID 2824 wrote to memory of 2584 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 33 PID 2824 wrote to memory of 2584 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 33 PID 2824 wrote to memory of 2584 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 33 PID 2824 wrote to memory of 2744 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 34 PID 2824 wrote to memory of 2744 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 34 PID 2824 wrote to memory of 2744 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 34 PID 2824 wrote to memory of 2744 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 34 PID 2800 wrote to memory of 3016 2800 dyaxtnyamw.exe 35 PID 2800 wrote to memory of 3016 2800 dyaxtnyamw.exe 35 PID 2800 wrote to memory of 3016 2800 dyaxtnyamw.exe 35 PID 2800 wrote to memory of 3016 2800 dyaxtnyamw.exe 35 PID 2824 wrote to memory of 692 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 36 PID 2824 wrote to memory of 692 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 36 PID 2824 wrote to memory of 692 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 36 PID 2824 wrote to memory of 692 2824 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 36 PID 692 wrote to memory of 2732 692 WINWORD.EXE 38 PID 692 wrote to memory of 2732 692 WINWORD.EXE 38 PID 692 wrote to memory of 2732 692 WINWORD.EXE 38 PID 692 wrote to memory of 2732 692 WINWORD.EXE 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\dyaxtnyamw.exedyaxtnyamw.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\wvyojkkn.exeC:\Windows\system32\wvyojkkn.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3016
-
-
-
C:\Windows\SysWOW64\yjqyqfwkitlxnxm.exeyjqyqfwkitlxnxm.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2428
-
-
C:\Windows\SysWOW64\wvyojkkn.exewvyojkkn.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2584
-
-
C:\Windows\SysWOW64\utxdaawpfqhnv.exeutxdaawpfqhnv.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2744
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2732
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD565ba2a64fb2b628426d3b5279d2f823e
SHA1f23e77faa74dfaff7a12d22393f377956b22ed50
SHA256d0e0cddd962589623e8af6f0e8c9fc077c56adfc0e09cd10753272c70e9072b9
SHA5123f82d3aa56d4e3da229e56b6934213bb84ef9f4e1d2e5580f87f5a358e3a65ea4ea6d799818a7d560658ff69ee01394d6196825f917742164feb1979a413d168
-
Filesize
255KB
MD57dfc2d7bafe53a5df735751192deb795
SHA13aeda5c1b3502c75332b7aca3561629867a6802a
SHA256ea4230351529457d67a9832a43ebff032b62a42858647265c8e0c1330c6d58bf
SHA512ef5aaf1be0bb438b6993681b814f7281222490d4cfd03b8f5d51e4a3bb9e8b535302968bc46f2973d5c14c13fd14832cd270ecff955a900682ca0cfd947e34d6
-
Filesize
19KB
MD5a4243ee687f8a31edcb391cbfacd4ca6
SHA18d11ffdfedf0041ed53154fa5313e5e4d215e516
SHA256686ca7eaad3d01f77c066cbaf5cd01bada3f97f16262bb977122c70fad7ed2f6
SHA5124fe50c5393ce6f95b2b0f7dabcdcecccf15e99870fa8f3f816ad76803368bf44eb3df557c7a104db81b8607dff7144dd581e990a8c03b6a9eed4410734165b23
-
Filesize
255KB
MD51b8bd882c8a24cc1c7d9a87a13807d64
SHA183f34828a1f9adbb8e12708b9b44b637877b3fec
SHA256fee1d9395baaff792ef29efebeb16837a16d4cfbbbca7010fa1f591b73caa921
SHA51248ebb42386171c67ae54d40db7302a46a90148ec02df0b4b617e1e58e12d69bd8ee2b42520ca319a70db5a4ffa4559bcd0d88a52198dfdeb5ec14244ca085eb7
-
Filesize
255KB
MD5a918e3e70327fad690a9349dc21fdf3a
SHA1bfd269f9be71fe4ef3735c47bc364ede06056206
SHA256f792107115b31850e1707d0cd19b693637f65954110ef96a6fd59f57ed4a6bd8
SHA5129847f2b2a815c5a55315ecb688bf04f38fbc0866d5a29e5122023d97e54687c059ff2e8979875afda4c9a6e3b18badcd1337577aaa24f86fa1e5a8d50f200840
-
Filesize
255KB
MD59b4752f030d1f59f22a2c707aac70aae
SHA199d2878b14c264636ccdfeb70d80bcfdb00d1012
SHA256f87950b3f4114668de51b3d591ad818e6189c9f93aa154fd2a890b47c09f0cf6
SHA512731c5f7cfbb887f2a9d5b0dadd22858f2688031d3a6b8e064ddc71670a558ba9aa81b9e9040614582026ffba4da7efd7372fdd8f301ed86d2e701b15f2f7a3a0
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5a062215f7550c6b2bf4f1f3a685ad23c
SHA1c7ff29e2bf4fac6dd86bcb4dcceaabcda21285c9
SHA256b30401220d6a6dd118c836ea928d853b9b033966283a5e6d80930edda4d4bb96
SHA5123977537d0cc2f4fc4c7ea16cb9db0fcc0f23b7e905f31d87e593fb2237ca3023fe78c7b36cbcfa88ab7a48a72c614e2e59a73b560e73c541190c56303fcd7535