Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 15:49
Static task
static1
Behavioral task
behavioral1
Sample
c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe
-
Size
512KB
-
MD5
c11192dc6211e591dca1454c40404a7d
-
SHA1
809c6aa8d2232d7bd79e82af9c6344ed093a8527
-
SHA256
f2967282fa56e471a8df2ec0fda6d88b4fb44db6833d8952050c8bf72511b7e6
-
SHA512
b59214b9b4b0453ae7ce5b7d67a021fb0804f8da20d903b85813d9ed6075a5d14b2b9b0bcb483ea81caa737dd57607524e8917c25eb58151b9ccc5be48e3cbee
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj65:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5S
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" wlrdlzwxki.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wlrdlzwxki.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wlrdlzwxki.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wlrdlzwxki.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wlrdlzwxki.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wlrdlzwxki.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wlrdlzwxki.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wlrdlzwxki.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1216 wlrdlzwxki.exe 2264 vsmjsvft.exe 5000 ytrpvarbjhcbxco.exe 3304 johkhuaatfhdk.exe 1768 vsmjsvft.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wlrdlzwxki.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wlrdlzwxki.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" wlrdlzwxki.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wlrdlzwxki.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wlrdlzwxki.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wlrdlzwxki.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\foqbtmcq = "ytrpvarbjhcbxco.exe" ytrpvarbjhcbxco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "johkhuaatfhdk.exe" ytrpvarbjhcbxco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\byfwykfm = "wlrdlzwxki.exe" ytrpvarbjhcbxco.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\t: wlrdlzwxki.exe File opened (read-only) \??\e: wlrdlzwxki.exe File opened (read-only) \??\p: vsmjsvft.exe File opened (read-only) \??\v: vsmjsvft.exe File opened (read-only) \??\m: vsmjsvft.exe File opened (read-only) \??\p: vsmjsvft.exe File opened (read-only) \??\i: wlrdlzwxki.exe File opened (read-only) \??\r: wlrdlzwxki.exe File opened (read-only) \??\g: vsmjsvft.exe File opened (read-only) \??\j: wlrdlzwxki.exe File opened (read-only) \??\k: wlrdlzwxki.exe File opened (read-only) \??\w: wlrdlzwxki.exe File opened (read-only) \??\l: vsmjsvft.exe File opened (read-only) \??\r: vsmjsvft.exe File opened (read-only) \??\g: vsmjsvft.exe File opened (read-only) \??\s: vsmjsvft.exe File opened (read-only) \??\h: wlrdlzwxki.exe File opened (read-only) \??\m: wlrdlzwxki.exe File opened (read-only) \??\q: vsmjsvft.exe File opened (read-only) \??\w: vsmjsvft.exe File opened (read-only) \??\u: wlrdlzwxki.exe File opened (read-only) \??\j: vsmjsvft.exe File opened (read-only) \??\t: vsmjsvft.exe File opened (read-only) \??\i: vsmjsvft.exe File opened (read-only) \??\t: vsmjsvft.exe File opened (read-only) \??\z: vsmjsvft.exe File opened (read-only) \??\q: wlrdlzwxki.exe File opened (read-only) \??\v: wlrdlzwxki.exe File opened (read-only) \??\z: vsmjsvft.exe File opened (read-only) \??\a: wlrdlzwxki.exe File opened (read-only) \??\q: vsmjsvft.exe File opened (read-only) \??\y: vsmjsvft.exe File opened (read-only) \??\y: wlrdlzwxki.exe File opened (read-only) \??\l: vsmjsvft.exe File opened (read-only) \??\r: vsmjsvft.exe File opened (read-only) \??\l: wlrdlzwxki.exe File opened (read-only) \??\n: vsmjsvft.exe File opened (read-only) \??\u: vsmjsvft.exe File opened (read-only) \??\k: vsmjsvft.exe File opened (read-only) \??\n: wlrdlzwxki.exe File opened (read-only) \??\o: vsmjsvft.exe File opened (read-only) \??\a: vsmjsvft.exe File opened (read-only) \??\h: vsmjsvft.exe File opened (read-only) \??\b: wlrdlzwxki.exe File opened (read-only) \??\s: wlrdlzwxki.exe File opened (read-only) \??\b: vsmjsvft.exe File opened (read-only) \??\s: vsmjsvft.exe File opened (read-only) \??\e: vsmjsvft.exe File opened (read-only) \??\o: wlrdlzwxki.exe File opened (read-only) \??\a: vsmjsvft.exe File opened (read-only) \??\i: vsmjsvft.exe File opened (read-only) \??\w: vsmjsvft.exe File opened (read-only) \??\x: vsmjsvft.exe File opened (read-only) \??\b: vsmjsvft.exe File opened (read-only) \??\v: vsmjsvft.exe File opened (read-only) \??\z: wlrdlzwxki.exe File opened (read-only) \??\n: vsmjsvft.exe File opened (read-only) \??\g: wlrdlzwxki.exe File opened (read-only) \??\p: wlrdlzwxki.exe File opened (read-only) \??\x: wlrdlzwxki.exe File opened (read-only) \??\k: vsmjsvft.exe File opened (read-only) \??\y: vsmjsvft.exe File opened (read-only) \??\j: vsmjsvft.exe File opened (read-only) \??\u: vsmjsvft.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" wlrdlzwxki.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" wlrdlzwxki.exe -
AutoIT Executable 13 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3884-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000235c8-5.dat autoit_exe behavioral2/files/0x00090000000235c1-18.dat autoit_exe behavioral2/files/0x00070000000235c9-25.dat autoit_exe behavioral2/files/0x00070000000235ca-32.dat autoit_exe behavioral2/files/0x0008000000023481-71.dat autoit_exe behavioral2/files/0x0009000000023504-88.dat autoit_exe behavioral2/files/0x0008000000023505-90.dat autoit_exe behavioral2/files/0x0008000000023508-108.dat autoit_exe behavioral2/files/0x0008000000023507-102.dat autoit_exe behavioral2/files/0x0008000000023506-100.dat autoit_exe behavioral2/files/0x001e000000023601-604.dat autoit_exe behavioral2/files/0x001e000000023601-606.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\wlrdlzwxki.exe c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ytrpvarbjhcbxco.exe c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe File created C:\Windows\SysWOW64\vsmjsvft.exe c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vsmjsvft.exe c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe File created C:\Windows\SysWOW64\johkhuaatfhdk.exe c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vsmjsvft.exe File opened for modification C:\Windows\SysWOW64\wlrdlzwxki.exe c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe File created C:\Windows\SysWOW64\ytrpvarbjhcbxco.exe c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\johkhuaatfhdk.exe c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll wlrdlzwxki.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vsmjsvft.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vsmjsvft.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vsmjsvft.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vsmjsvft.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vsmjsvft.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vsmjsvft.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vsmjsvft.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vsmjsvft.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vsmjsvft.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vsmjsvft.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vsmjsvft.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vsmjsvft.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vsmjsvft.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vsmjsvft.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vsmjsvft.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vsmjsvft.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vsmjsvft.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vsmjsvft.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vsmjsvft.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vsmjsvft.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vsmjsvft.exe File opened for modification C:\Windows\mydoc.rtf c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vsmjsvft.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vsmjsvft.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vsmjsvft.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vsmjsvft.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vsmjsvft.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vsmjsvft.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vsmjsvft.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vsmjsvft.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vsmjsvft.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vsmjsvft.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vsmjsvft.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wlrdlzwxki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vsmjsvft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ytrpvarbjhcbxco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language johkhuaatfhdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vsmjsvft.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" wlrdlzwxki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg wlrdlzwxki.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B02947E339E852CDB9D43293D4BB" c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFF884828851A9130D65B7D94BD97E6365941674F6343D79F" c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf wlrdlzwxki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" wlrdlzwxki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F368C3FE1D22DFD179D0A58A7F9167" c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183DC67E14E3DAC0B9C07CE9EDE437C8" c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" wlrdlzwxki.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCF9B0FE16F299840F3B4081993993B0FC02FC4312033BE2BD429C08A5" c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat wlrdlzwxki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc wlrdlzwxki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" wlrdlzwxki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442C0F9D5283206A3077A177212DD67D8564AB" c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" wlrdlzwxki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh wlrdlzwxki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" wlrdlzwxki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs wlrdlzwxki.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2504 WINWORD.EXE 2504 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 1216 wlrdlzwxki.exe 1216 wlrdlzwxki.exe 1216 wlrdlzwxki.exe 1216 wlrdlzwxki.exe 1216 wlrdlzwxki.exe 1216 wlrdlzwxki.exe 1216 wlrdlzwxki.exe 1216 wlrdlzwxki.exe 1216 wlrdlzwxki.exe 1216 wlrdlzwxki.exe 3304 johkhuaatfhdk.exe 3304 johkhuaatfhdk.exe 3304 johkhuaatfhdk.exe 3304 johkhuaatfhdk.exe 3304 johkhuaatfhdk.exe 3304 johkhuaatfhdk.exe 3304 johkhuaatfhdk.exe 3304 johkhuaatfhdk.exe 3304 johkhuaatfhdk.exe 3304 johkhuaatfhdk.exe 3304 johkhuaatfhdk.exe 3304 johkhuaatfhdk.exe 5000 ytrpvarbjhcbxco.exe 5000 ytrpvarbjhcbxco.exe 5000 ytrpvarbjhcbxco.exe 5000 ytrpvarbjhcbxco.exe 5000 ytrpvarbjhcbxco.exe 5000 ytrpvarbjhcbxco.exe 5000 ytrpvarbjhcbxco.exe 5000 ytrpvarbjhcbxco.exe 2264 vsmjsvft.exe 2264 vsmjsvft.exe 2264 vsmjsvft.exe 2264 vsmjsvft.exe 2264 vsmjsvft.exe 2264 vsmjsvft.exe 2264 vsmjsvft.exe 2264 vsmjsvft.exe 5000 ytrpvarbjhcbxco.exe 5000 ytrpvarbjhcbxco.exe 1768 vsmjsvft.exe 1768 vsmjsvft.exe 1768 vsmjsvft.exe 1768 vsmjsvft.exe 1768 vsmjsvft.exe 1768 vsmjsvft.exe 1768 vsmjsvft.exe 1768 vsmjsvft.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 1216 wlrdlzwxki.exe 1216 wlrdlzwxki.exe 1216 wlrdlzwxki.exe 3304 johkhuaatfhdk.exe 3304 johkhuaatfhdk.exe 3304 johkhuaatfhdk.exe 5000 ytrpvarbjhcbxco.exe 2264 vsmjsvft.exe 5000 ytrpvarbjhcbxco.exe 2264 vsmjsvft.exe 5000 ytrpvarbjhcbxco.exe 2264 vsmjsvft.exe 1768 vsmjsvft.exe 1768 vsmjsvft.exe 1768 vsmjsvft.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 1216 wlrdlzwxki.exe 1216 wlrdlzwxki.exe 1216 wlrdlzwxki.exe 3304 johkhuaatfhdk.exe 3304 johkhuaatfhdk.exe 3304 johkhuaatfhdk.exe 5000 ytrpvarbjhcbxco.exe 2264 vsmjsvft.exe 5000 ytrpvarbjhcbxco.exe 2264 vsmjsvft.exe 5000 ytrpvarbjhcbxco.exe 2264 vsmjsvft.exe 1768 vsmjsvft.exe 1768 vsmjsvft.exe 1768 vsmjsvft.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2504 WINWORD.EXE 2504 WINWORD.EXE 2504 WINWORD.EXE 2504 WINWORD.EXE 2504 WINWORD.EXE 2504 WINWORD.EXE 2504 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3884 wrote to memory of 1216 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 93 PID 3884 wrote to memory of 1216 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 93 PID 3884 wrote to memory of 1216 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 93 PID 3884 wrote to memory of 5000 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 94 PID 3884 wrote to memory of 5000 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 94 PID 3884 wrote to memory of 5000 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 94 PID 3884 wrote to memory of 2264 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 95 PID 3884 wrote to memory of 2264 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 95 PID 3884 wrote to memory of 2264 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 95 PID 3884 wrote to memory of 3304 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 96 PID 3884 wrote to memory of 3304 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 96 PID 3884 wrote to memory of 3304 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 96 PID 1216 wrote to memory of 1768 1216 wlrdlzwxki.exe 97 PID 1216 wrote to memory of 1768 1216 wlrdlzwxki.exe 97 PID 1216 wrote to memory of 1768 1216 wlrdlzwxki.exe 97 PID 3884 wrote to memory of 2504 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 98 PID 3884 wrote to memory of 2504 3884 c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c11192dc6211e591dca1454c40404a7d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\wlrdlzwxki.exewlrdlzwxki.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\vsmjsvft.exeC:\Windows\system32\vsmjsvft.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1768
-
-
-
C:\Windows\SysWOW64\ytrpvarbjhcbxco.exeytrpvarbjhcbxco.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5000
-
-
C:\Windows\SysWOW64\vsmjsvft.exevsmjsvft.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2264
-
-
C:\Windows\SysWOW64\johkhuaatfhdk.exejohkhuaatfhdk.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3304
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4236,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=3936 /prefetch:81⤵PID:3972
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5bc79cca8f80c213f7c5e166944414e19
SHA169f46b0ba872628d07d492dd95b5764558b37f0c
SHA256497728b006576aa4a80fd1cfbbcda6ebaa0243dc30d5df8e5210ba15f1473dea
SHA5128843dc1ed4efcf272e787426f5085d9c48c171f6a973f99d7bf74478d9112fe73a582933ebde78a71637edf67f3a09ecd2011965405cfe9e39556691ccaa7f25
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
332B
MD58f6155f5e2f72b312a17ad3c61a691b2
SHA1360fc32464fbf552544b0154f66a7943b2961d64
SHA25643e0745ccd26e7dab50bda0f99dc11639a882a681e79f9308b0d5819c774c3ed
SHA5122540ea798cd1f07b77e2094159939496c35e00644d423b5bf56964f1dfd08a2807c47144e7da2af2d45470489fd470b3a901aa5ce57661598b40d58f00b4d909
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD523b6de30640fd41be2c5e4c2d72cbac4
SHA19f3774466334458de92501c90510c0adf305c304
SHA25689d821cfa0420c30a347037655ac4a0544b5d8bbc50c50bedbea7c45e9ead345
SHA512c0d9e083b277e418d49695626ad1d6aa5d23ff87e5804efc93f33190313ecb303ff8244df2fe2c4cf38e57db153c605d36c0b7d3e4888f83690e425046816c38
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD544bf416b36071e57a7c32e21fb965af6
SHA1bd97f34562bdce776a9e866eee9befcd271bda2f
SHA256cdf55258082c0fc878963f4d3c6a678bd5e0780fe24a05934e9b3e3aae5261c5
SHA5127df322cd06ce2ee0105c3ef665cec77c5f02c55b45d1c0f339ce71343e6df8be7656742621b0b02121f476584fcc4732c30ad1d876696f8fc88893fd44e862f0
-
Filesize
512KB
MD5684142321325a76ac78855c5f83331e6
SHA1b7cd3799054ee959ce6f489146a1f0e51758deb8
SHA25697819acd1e54f91b799e52361f6547b2e85a9392ba1f71eba172e70b73f187eb
SHA51210bf8bfc926e09a1c1c78555adebb482634a11c15379290f55e1ede43ecea071e282d27a7cac9ac3b21fadb7a5c1ca2984cdc0a39c788ede10578abd4c779071
-
Filesize
512KB
MD5fcae0b6dfabb12a6d598e7ef16be5723
SHA14f7c3646a8d59449d102e86ba2c4e3a40c6e6df5
SHA2566bd36f655ad9c0ce3ee7957744b2051cfe2e519c70b27cf591e1b5cc3d29d75b
SHA5121d4b46c94e22f165e815d67fe4a3a4dec4dd41a11ba863e132fda26379e8c8b12f60d73ea205996256bac7c2a10c6330c839e5089a979a728bc7bffb6a33f011
-
Filesize
512KB
MD55f65eebb0db1dfd5a1a09da50f29a51d
SHA14da70f718baa2d607e9373839af14e20efde1583
SHA2564a8acc28b42ff81f71723fce780b51784d9647136fb4b67c126e052eea43ff63
SHA512b54c8adff8dc7055b86c0e17dd85bddcf9494e9afc62553e861dbfdb056bef87348c3d123cfc561880024192539da2ed2b83ec04cd975b8d5e0b7adb49dde381
-
Filesize
512KB
MD569a578c849496bd6e8fd3cad905d6682
SHA17a55e4e3830fb77ffe9c7fcb01cabbd73b99af27
SHA256fadb63a958f3240fa1239e7188451efd770a1b0feb848ee695679e115ce6dd14
SHA5128df157b2c8e1c18a0b5f292fe4ca34f7c702e8361c0aed8049c4cf22fddf0b27b648443546e8a582f745cdc8f98cf7233b630b6b3daa76697eb18fc05941536c
-
Filesize
512KB
MD5d9e9f06029ce3ab2752b9747447a3123
SHA1dc676c696a23653b837d414737da0b6acad12d85
SHA256cc0c9da5c98ddeb6ce2c58cdebe0937e64c0a15f0bc77847b4e6712078e13204
SHA5125f6f2298b0d08972e92857d718761523f0d50ce0940975a93408ba8fca2a297ff8e8cb79f51a67011a5d56dfc6b8d20194da2567d55a5685f9e8a9ed371591e8
-
Filesize
512KB
MD5f6a547ed7bc2c8c495b9641f92bbbd2e
SHA11ab6479c5bac86db642f2f1ee6df9a229dd6ed11
SHA2560e6953f219a83f4e24bc32da6b201746d1f6fb472caf431e5b26ed97db90c049
SHA5126d8f5143405791be1afe6fc2a92a01ef9429d705867bc6c1cc5484f367c7c34c95ed4a5308eb9773caa8f8508519b71ab6eb85a81a9e964e99e2f5f6ed4f65ec
-
Filesize
512KB
MD5c70d91163e353b71f69f17ceb2360a0c
SHA1ee79fbe56772ecd23a766dac9dd7b56770c34795
SHA2561549350e5269a3bcf53141da31b161dc6d40fee1bfa40524c0fe63a881698527
SHA512ab8401e030f51c03048aa93fd521a646be694e73328c95ec11e9b2bf6aaf0e498ea37f727d99e110048645fbfde25eef35322af6d3f2919c1cfefc04b9ec9e04
-
Filesize
512KB
MD5239ab67a31bef0951d48c721b3957d55
SHA197e8916722523a4fa80dfd8e9a40eeae6eae4d68
SHA256f9447ef69ed9a69921c0e844825e852f1cdee57ec4e1c4abab41a5fe38bd3e54
SHA51217066df8d70c0e908b7b6b9a92a6b3e0ac9375c9743b701f49ffdd0a35f60edb19968472b83343b05ff7a53eaf7f8518f53afbe74726d268bdf64749b8de5608
-
Filesize
512KB
MD516622da6e5d4565b830c33cf876c2a8f
SHA16610e80be970bac8ae2f7a3599cf75caaebde7a3
SHA256f18ac3a1a433f97fb92031cf9172b16e092e3466ff68abc5d16a891091250a75
SHA51259eabef144fe39218252bc5bf5f941659cebbd5659eefd04e48c92ebac5c9ce192abb8209811ab22e605231546cc31387f479f82cb7d46113f47f2dfc4479069
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5259d9e3206c793264ad393e0d4d3f369
SHA1b6fe8a74f39ef0e80175ace8abca1c9d104b31d7
SHA256f1905e366652863bfc3337c3b3a9a6af0912e5cac46cc2b1b61a64a0ba6d9a84
SHA51284565441e20cb58abd8f517d85bb2fecedcbde9703b4de80c5830ba5aa2bc4c9ef61635572305683cadda5eda38bed62520a4b7077a346d174ec94843ccfe960
-
Filesize
512KB
MD5337510bc2e98385803b98c14a5d40d27
SHA19248613319b52608c72dcab10271e815f113c2bb
SHA2561c3820e369f27a6936750cddcddfc60b9bc3842e7049e19b233a065b5820bebe
SHA512fe7f99da45e431a9d5c802c1cc956b5f5dba040c5f95808db7fffc8d314dc76ecb35df103e467bddc967b45e9e47ba3852fbb7fe1646ef3cedb4feba24627c2e