Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 10:12
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
25 signatures
150 seconds
General
-
Target
c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe
-
Size
512KB
-
MD5
c082ff8af0528db66a7143e97522eeaa
-
SHA1
4982f63e1a67518db09ccf4a936993375fd5b68a
-
SHA256
9d62e0190265ab56bfb4d0d581c29053455826f2f477f172f5e4baec8fdc433c
-
SHA512
2a9b6b12d92d8e86d67330631ea92ca236a14d445f9c293a5ba2062ffd16e6b69c2911bd2e236c8077016df24c3b846890c66482a94d6bf21aace8f7861a1377
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6r:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm54
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" mnjbsbijak.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mnjbsbijak.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mnjbsbijak.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mnjbsbijak.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mnjbsbijak.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mnjbsbijak.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" mnjbsbijak.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mnjbsbijak.exe -
Executes dropped EXE 5 IoCs
pid Process 2100 mnjbsbijak.exe 2816 xtbpcuonvhxxuvp.exe 2108 fidiwwvu.exe 1928 wipspkeyveocw.exe 1628 fidiwwvu.exe -
Loads dropped DLL 5 IoCs
pid Process 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 2100 mnjbsbijak.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mnjbsbijak.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mnjbsbijak.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mnjbsbijak.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" mnjbsbijak.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mnjbsbijak.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" mnjbsbijak.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wipspkeyveocw.exe" xtbpcuonvhxxuvp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kionctfr = "mnjbsbijak.exe" xtbpcuonvhxxuvp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\anhrpbry = "xtbpcuonvhxxuvp.exe" xtbpcuonvhxxuvp.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: mnjbsbijak.exe File opened (read-only) \??\u: mnjbsbijak.exe File opened (read-only) \??\g: fidiwwvu.exe File opened (read-only) \??\m: fidiwwvu.exe File opened (read-only) \??\n: fidiwwvu.exe File opened (read-only) \??\v: fidiwwvu.exe File opened (read-only) \??\y: mnjbsbijak.exe File opened (read-only) \??\r: fidiwwvu.exe File opened (read-only) \??\w: fidiwwvu.exe File opened (read-only) \??\a: fidiwwvu.exe File opened (read-only) \??\k: fidiwwvu.exe File opened (read-only) \??\u: fidiwwvu.exe File opened (read-only) \??\p: mnjbsbijak.exe File opened (read-only) \??\w: mnjbsbijak.exe File opened (read-only) \??\w: fidiwwvu.exe File opened (read-only) \??\x: fidiwwvu.exe File opened (read-only) \??\o: mnjbsbijak.exe File opened (read-only) \??\b: fidiwwvu.exe File opened (read-only) \??\t: fidiwwvu.exe File opened (read-only) \??\g: mnjbsbijak.exe File opened (read-only) \??\j: mnjbsbijak.exe File opened (read-only) \??\n: mnjbsbijak.exe File opened (read-only) \??\a: fidiwwvu.exe File opened (read-only) \??\e: fidiwwvu.exe File opened (read-only) \??\i: fidiwwvu.exe File opened (read-only) \??\o: fidiwwvu.exe File opened (read-only) \??\y: fidiwwvu.exe File opened (read-only) \??\a: mnjbsbijak.exe File opened (read-only) \??\i: fidiwwvu.exe File opened (read-only) \??\b: mnjbsbijak.exe File opened (read-only) \??\x: fidiwwvu.exe File opened (read-only) \??\z: fidiwwvu.exe File opened (read-only) \??\g: fidiwwvu.exe File opened (read-only) \??\l: fidiwwvu.exe File opened (read-only) \??\t: fidiwwvu.exe File opened (read-only) \??\l: mnjbsbijak.exe File opened (read-only) \??\v: mnjbsbijak.exe File opened (read-only) \??\j: fidiwwvu.exe File opened (read-only) \??\b: fidiwwvu.exe File opened (read-only) \??\h: fidiwwvu.exe File opened (read-only) \??\p: fidiwwvu.exe File opened (read-only) \??\z: fidiwwvu.exe File opened (read-only) \??\n: fidiwwvu.exe File opened (read-only) \??\s: mnjbsbijak.exe File opened (read-only) \??\h: fidiwwvu.exe File opened (read-only) \??\o: fidiwwvu.exe File opened (read-only) \??\p: fidiwwvu.exe File opened (read-only) \??\v: fidiwwvu.exe File opened (read-only) \??\i: mnjbsbijak.exe File opened (read-only) \??\k: mnjbsbijak.exe File opened (read-only) \??\r: mnjbsbijak.exe File opened (read-only) \??\k: fidiwwvu.exe File opened (read-only) \??\q: fidiwwvu.exe File opened (read-only) \??\t: mnjbsbijak.exe File opened (read-only) \??\x: mnjbsbijak.exe File opened (read-only) \??\z: mnjbsbijak.exe File opened (read-only) \??\s: fidiwwvu.exe File opened (read-only) \??\j: fidiwwvu.exe File opened (read-only) \??\q: fidiwwvu.exe File opened (read-only) \??\r: fidiwwvu.exe File opened (read-only) \??\l: fidiwwvu.exe File opened (read-only) \??\u: fidiwwvu.exe File opened (read-only) \??\y: fidiwwvu.exe File opened (read-only) \??\s: fidiwwvu.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" mnjbsbijak.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" mnjbsbijak.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2540-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000700000001939b-5.dat autoit_exe behavioral1/files/0x00080000000120fd-17.dat autoit_exe behavioral1/files/0x00070000000193b3-27.dat autoit_exe behavioral1/files/0x00060000000193e8-33.dat autoit_exe behavioral1/files/0x000600000001949e-68.dat autoit_exe behavioral1/files/0x003200000001930d-62.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\fidiwwvu.exe c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll mnjbsbijak.exe File created C:\Windows\SysWOW64\mnjbsbijak.exe c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mnjbsbijak.exe c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe File created C:\Windows\SysWOW64\xtbpcuonvhxxuvp.exe c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xtbpcuonvhxxuvp.exe c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe File created C:\Windows\SysWOW64\fidiwwvu.exe c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe File created C:\Windows\SysWOW64\wipspkeyveocw.exe c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wipspkeyveocw.exe c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe fidiwwvu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe fidiwwvu.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe fidiwwvu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe fidiwwvu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal fidiwwvu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe fidiwwvu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal fidiwwvu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe fidiwwvu.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe fidiwwvu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe fidiwwvu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe fidiwwvu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal fidiwwvu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal fidiwwvu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe fidiwwvu.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wipspkeyveocw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fidiwwvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mnjbsbijak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtbpcuonvhxxuvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fidiwwvu.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C67F1593DBC0B9BB7CE6ECE737B9" c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" mnjbsbijak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc mnjbsbijak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" mnjbsbijak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFF8E4F5B82129047D72C7D90BCE4E634594267316346D6EA" c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh mnjbsbijak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" mnjbsbijak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB6B158479539EB52C9B9D53393D4B8" c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf mnjbsbijak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs mnjbsbijak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" mnjbsbijak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" mnjbsbijak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" mnjbsbijak.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2C769C2383226D3F76D2702F2CAD7D8F64AD" c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDF9B0F916F29983083A4486ED39E6B38902FC42600248E2CB45E609D1" c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7836BC3FE6B21ADD273D1D18A7F9013" c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat mnjbsbijak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg mnjbsbijak.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2600 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 2100 mnjbsbijak.exe 2100 mnjbsbijak.exe 2100 mnjbsbijak.exe 2100 mnjbsbijak.exe 2100 mnjbsbijak.exe 2108 fidiwwvu.exe 2108 fidiwwvu.exe 2108 fidiwwvu.exe 2108 fidiwwvu.exe 2816 xtbpcuonvhxxuvp.exe 2816 xtbpcuonvhxxuvp.exe 2816 xtbpcuonvhxxuvp.exe 2816 xtbpcuonvhxxuvp.exe 2816 xtbpcuonvhxxuvp.exe 1628 fidiwwvu.exe 1628 fidiwwvu.exe 1628 fidiwwvu.exe 1628 fidiwwvu.exe 1928 wipspkeyveocw.exe 1928 wipspkeyveocw.exe 1928 wipspkeyveocw.exe 1928 wipspkeyveocw.exe 1928 wipspkeyveocw.exe 1928 wipspkeyveocw.exe 2816 xtbpcuonvhxxuvp.exe 1928 wipspkeyveocw.exe 1928 wipspkeyveocw.exe 2816 xtbpcuonvhxxuvp.exe 2816 xtbpcuonvhxxuvp.exe 1928 wipspkeyveocw.exe 1928 wipspkeyveocw.exe 2816 xtbpcuonvhxxuvp.exe 1928 wipspkeyveocw.exe 1928 wipspkeyveocw.exe 2816 xtbpcuonvhxxuvp.exe 1928 wipspkeyveocw.exe 1928 wipspkeyveocw.exe 2816 xtbpcuonvhxxuvp.exe 1928 wipspkeyveocw.exe 1928 wipspkeyveocw.exe 2816 xtbpcuonvhxxuvp.exe 1928 wipspkeyveocw.exe 1928 wipspkeyveocw.exe 2816 xtbpcuonvhxxuvp.exe 1928 wipspkeyveocw.exe 1928 wipspkeyveocw.exe 2816 xtbpcuonvhxxuvp.exe 1928 wipspkeyveocw.exe 1928 wipspkeyveocw.exe 2816 xtbpcuonvhxxuvp.exe 1928 wipspkeyveocw.exe 1928 wipspkeyveocw.exe 2816 xtbpcuonvhxxuvp.exe 1928 wipspkeyveocw.exe 1928 wipspkeyveocw.exe 2816 xtbpcuonvhxxuvp.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 2100 mnjbsbijak.exe 2100 mnjbsbijak.exe 2100 mnjbsbijak.exe 2108 fidiwwvu.exe 2108 fidiwwvu.exe 2108 fidiwwvu.exe 2816 xtbpcuonvhxxuvp.exe 2816 xtbpcuonvhxxuvp.exe 2816 xtbpcuonvhxxuvp.exe 1928 wipspkeyveocw.exe 1928 wipspkeyveocw.exe 1928 wipspkeyveocw.exe 1628 fidiwwvu.exe 1628 fidiwwvu.exe 1628 fidiwwvu.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 2100 mnjbsbijak.exe 2100 mnjbsbijak.exe 2100 mnjbsbijak.exe 2108 fidiwwvu.exe 2108 fidiwwvu.exe 2108 fidiwwvu.exe 2816 xtbpcuonvhxxuvp.exe 2816 xtbpcuonvhxxuvp.exe 2816 xtbpcuonvhxxuvp.exe 1928 wipspkeyveocw.exe 1928 wipspkeyveocw.exe 1928 wipspkeyveocw.exe 1628 fidiwwvu.exe 1628 fidiwwvu.exe 1628 fidiwwvu.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2600 WINWORD.EXE 2600 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2540 wrote to memory of 2100 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 29 PID 2540 wrote to memory of 2100 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 29 PID 2540 wrote to memory of 2100 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 29 PID 2540 wrote to memory of 2100 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 29 PID 2540 wrote to memory of 2816 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 30 PID 2540 wrote to memory of 2816 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 30 PID 2540 wrote to memory of 2816 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 30 PID 2540 wrote to memory of 2816 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 30 PID 2540 wrote to memory of 2108 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 31 PID 2540 wrote to memory of 2108 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 31 PID 2540 wrote to memory of 2108 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 31 PID 2540 wrote to memory of 2108 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 31 PID 2540 wrote to memory of 1928 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 32 PID 2540 wrote to memory of 1928 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 32 PID 2540 wrote to memory of 1928 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 32 PID 2540 wrote to memory of 1928 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 32 PID 2100 wrote to memory of 1628 2100 mnjbsbijak.exe 33 PID 2100 wrote to memory of 1628 2100 mnjbsbijak.exe 33 PID 2100 wrote to memory of 1628 2100 mnjbsbijak.exe 33 PID 2100 wrote to memory of 1628 2100 mnjbsbijak.exe 33 PID 2540 wrote to memory of 2600 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 34 PID 2540 wrote to memory of 2600 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 34 PID 2540 wrote to memory of 2600 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 34 PID 2540 wrote to memory of 2600 2540 c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe 34 PID 2600 wrote to memory of 2592 2600 WINWORD.EXE 36 PID 2600 wrote to memory of 2592 2600 WINWORD.EXE 36 PID 2600 wrote to memory of 2592 2600 WINWORD.EXE 36 PID 2600 wrote to memory of 2592 2600 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c082ff8af0528db66a7143e97522eeaa_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\mnjbsbijak.exemnjbsbijak.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\fidiwwvu.exeC:\Windows\system32\fidiwwvu.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1628
-
-
-
C:\Windows\SysWOW64\xtbpcuonvhxxuvp.exextbpcuonvhxxuvp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2816
-
-
C:\Windows\SysWOW64\fidiwwvu.exefidiwwvu.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2108
-
-
C:\Windows\SysWOW64\wipspkeyveocw.exewipspkeyveocw.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1928
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2592
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD544ce76550323ec7aaed9ee103967bf42
SHA148f9bba7edfd906c1e89d9a7cb4a5856805b9ed9
SHA256e90a46c852ac6937aad84cf1dfea6215fdffb795ec9786acb680f9c9cc491738
SHA512a032c09494c4f124518affa07b1cf5154a63452d7d5cbc60c34a2c9cdf5e6868d0c16f0becc671b7fff750d0ce1bc9bb772fd670de62e756e2e9e163970f6630
-
Filesize
512KB
MD5c86233a6af33c5e98c82e5beb1c0ce54
SHA190bab33aef38e748b66905a50548aa1e8860c691
SHA256c2ccfa71adc30a60a3647d53b5199f7e7f8e39a26ad952b5c572e208c28cf752
SHA5121ee7014cc569faf3933088d3b8512835b708f9a57735aaac4efdc0bc0d98b2c7d0bf1de2ac82b5b176c909e6109b290f5d06ac3dff1721ce6f34d9ca1a1ff2c4
-
Filesize
19KB
MD573b1e14824b48aa33e3650fd98d2b07e
SHA11a4111957d690048553a8289425e750e4ebcf8f4
SHA25689a248950975c675ec0cde25db7c69c531e7094467229be25001d7297ac556ae
SHA51268f16194d0334c157705b41a90acdd19509d31006536e43d5c786940093bd5b9d9812bc081e58b0030678762019a638ed5332428c23a06312522dda28ca6679b
-
Filesize
512KB
MD585db7d36dad5144dae4a32b9becd9bd8
SHA1d760ae26289b710b38c6c2c56bbf20725649363b
SHA2562234189a292195372b1178062565a32628557d9cd6a0733d77ff66e02933d649
SHA512b4557407af2ab18764877f41c3fc621b3937f1df15e428a84e6f97e76b49f85b4f77447b8d149e658089fe0fa2e2298f4c23dea430a95fefee485e8c25a37127
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5bfc22857b58266cc306e4bb7e490ec4b
SHA1787f1538a52c6df3944dce67619d7afde743a6ff
SHA2566b40fffdd7264bee7eabd8fc6fc6f74bbe853d7fcc8ee4d4fff8c7858ebdd759
SHA5121e5f37d018161bdd54ca5b36d18ab5c472252ed57ec16dbb2a14ec30711aadf73d9ee5e51110c3abe315e65aaa88cb49562567b044e08ad3cd0d268d2d9d3e95
-
Filesize
512KB
MD5a985adf6a6fabecd7e1b3fc0ce82cdbf
SHA10df8e0b0ad857c142fab0cab38c83d1ea099a0e2
SHA25676f5463ae915058c67828cab1f94196821bc3f291c49f34ce3817fc2051b7d78
SHA512ffe6da8f08339b284c6a36163a7affca223b925fac2a9b9faddf07e95f131d491acaa13664e3d959680fd5dc7a48c3f561ad6417c0caa57dc9f704c57a15c11b
-
Filesize
512KB
MD5fe143f1e7ccbaf4d84b9c0ccd9a5e4f0
SHA1a0f2d2c8ff15485bb6bffb1667238fda6db32d47
SHA256f4359e983e4fa9739ec8d78a12faf758c48cedc1c643d4aa2ebbb62a5fcb769d
SHA51275037dad73602182735f26a38d8160810ec69f5645df8d9c7ccc007508dad8132a7b0d6dd85b6e83e5a84e28b2a2dff0f03560926f27ab2c098e53e7a091fa8c