Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
15s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01/09/2024, 01:46
Static task
static1
Behavioral task
behavioral1
Sample
cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
-
Size
512KB
-
MD5
cdfaabe544a4b3a1fe3574561932bc46
-
SHA1
498fd62df89689b03593876b19b1bd317ce375c6
-
SHA256
d7231c9941f8b195f8e380c7f44b5bd114e46ba5afaf67b3b01a3d4ac7f40291
-
SHA512
42f4bcb4db36167256991c1859ead01eec56784bbf3ccf0ae8d109ff3f6d2774970c4376c3146228d819fe9ea3aa339647ae0719dbe8e60b6a7b6e0f4ae652f5
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6t:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5M
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" yutdzcdxwp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yutdzcdxwp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yutdzcdxwp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yutdzcdxwp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" yutdzcdxwp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yutdzcdxwp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yutdzcdxwp.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yutdzcdxwp.exe -
Executes dropped EXE 5 IoCs
pid Process 2784 yutdzcdxwp.exe 2880 znillyioathczsl.exe 2848 ooljcsej.exe 2812 ffrapicsnadth.exe 2676 ooljcsej.exe -
Loads dropped DLL 5 IoCs
pid Process 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 2784 yutdzcdxwp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yutdzcdxwp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yutdzcdxwp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yutdzcdxwp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" yutdzcdxwp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yutdzcdxwp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" yutdzcdxwp.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mamqijhk = "yutdzcdxwp.exe" znillyioathczsl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\eonufiwr = "znillyioathczsl.exe" znillyioathczsl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ffrapicsnadth.exe" znillyioathczsl.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: ooljcsej.exe File opened (read-only) \??\o: ooljcsej.exe File opened (read-only) \??\t: ooljcsej.exe File opened (read-only) \??\o: yutdzcdxwp.exe File opened (read-only) \??\o: ooljcsej.exe File opened (read-only) \??\y: ooljcsej.exe File opened (read-only) \??\t: ooljcsej.exe File opened (read-only) \??\q: ooljcsej.exe File opened (read-only) \??\w: ooljcsej.exe File opened (read-only) \??\z: ooljcsej.exe File opened (read-only) \??\k: yutdzcdxwp.exe File opened (read-only) \??\x: yutdzcdxwp.exe File opened (read-only) \??\b: ooljcsej.exe File opened (read-only) \??\y: ooljcsej.exe File opened (read-only) \??\a: yutdzcdxwp.exe File opened (read-only) \??\v: yutdzcdxwp.exe File opened (read-only) \??\w: ooljcsej.exe File opened (read-only) \??\m: ooljcsej.exe File opened (read-only) \??\v: ooljcsej.exe File opened (read-only) \??\l: yutdzcdxwp.exe File opened (read-only) \??\a: ooljcsej.exe File opened (read-only) \??\l: ooljcsej.exe File opened (read-only) \??\i: ooljcsej.exe File opened (read-only) \??\s: ooljcsej.exe File opened (read-only) \??\b: ooljcsej.exe File opened (read-only) \??\p: ooljcsej.exe File opened (read-only) \??\u: ooljcsej.exe File opened (read-only) \??\m: yutdzcdxwp.exe File opened (read-only) \??\w: yutdzcdxwp.exe File opened (read-only) \??\h: ooljcsej.exe File opened (read-only) \??\v: ooljcsej.exe File opened (read-only) \??\j: yutdzcdxwp.exe File opened (read-only) \??\y: yutdzcdxwp.exe File opened (read-only) \??\i: ooljcsej.exe File opened (read-only) \??\b: yutdzcdxwp.exe File opened (read-only) \??\r: ooljcsej.exe File opened (read-only) \??\e: yutdzcdxwp.exe File opened (read-only) \??\g: yutdzcdxwp.exe File opened (read-only) \??\i: yutdzcdxwp.exe File opened (read-only) \??\j: ooljcsej.exe File opened (read-only) \??\m: ooljcsej.exe File opened (read-only) \??\n: ooljcsej.exe File opened (read-only) \??\q: yutdzcdxwp.exe File opened (read-only) \??\t: yutdzcdxwp.exe File opened (read-only) \??\z: yutdzcdxwp.exe File opened (read-only) \??\r: ooljcsej.exe File opened (read-only) \??\p: yutdzcdxwp.exe File opened (read-only) \??\r: yutdzcdxwp.exe File opened (read-only) \??\q: ooljcsej.exe File opened (read-only) \??\k: ooljcsej.exe File opened (read-only) \??\n: yutdzcdxwp.exe File opened (read-only) \??\g: ooljcsej.exe File opened (read-only) \??\h: yutdzcdxwp.exe File opened (read-only) \??\u: yutdzcdxwp.exe File opened (read-only) \??\n: ooljcsej.exe File opened (read-only) \??\u: ooljcsej.exe File opened (read-only) \??\a: ooljcsej.exe File opened (read-only) \??\l: ooljcsej.exe File opened (read-only) \??\e: ooljcsej.exe File opened (read-only) \??\p: ooljcsej.exe File opened (read-only) \??\h: ooljcsej.exe File opened (read-only) \??\x: ooljcsej.exe File opened (read-only) \??\x: ooljcsej.exe File opened (read-only) \??\z: ooljcsej.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" yutdzcdxwp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" yutdzcdxwp.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2556-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0008000000018f90-5.dat autoit_exe behavioral1/files/0x000c000000015635-17.dat autoit_exe behavioral1/files/0x0007000000018f98-29.dat autoit_exe behavioral1/files/0x0006000000018f9c-38.dat autoit_exe behavioral1/files/0x0006000000018fe4-70.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\yutdzcdxwp.exe cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe File created C:\Windows\SysWOW64\ooljcsej.exe cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe File created C:\Windows\SysWOW64\ffrapicsnadth.exe cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll yutdzcdxwp.exe File opened for modification C:\Windows\SysWOW64\yutdzcdxwp.exe cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe File created C:\Windows\SysWOW64\znillyioathczsl.exe cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\znillyioathczsl.exe cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ooljcsej.exe cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ffrapicsnadth.exe cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ooljcsej.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ooljcsej.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ooljcsej.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ooljcsej.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ooljcsej.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ooljcsej.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ooljcsej.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ooljcsej.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ooljcsej.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ooljcsej.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ooljcsej.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ooljcsej.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ooljcsej.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ooljcsej.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yutdzcdxwp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language znillyioathczsl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ooljcsej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrapicsnadth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ooljcsej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh yutdzcdxwp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" yutdzcdxwp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352D7D9D2D83206D3676D370222DD67CF265D9" cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFABAF964F195837C3A3186EB39E5B08E03F04360033AE2C4459C08A6" cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFFF84F5D85699047D72E7D96BCEEE13C594667436243D79C" cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FC6BB4FE6922D9D279D0A48A0E9161" cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat yutdzcdxwp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" yutdzcdxwp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" yutdzcdxwp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg yutdzcdxwp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C67E15ECDBBEB8B97C92ECE037CB" cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf yutdzcdxwp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" yutdzcdxwp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc yutdzcdxwp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" yutdzcdxwp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs yutdzcdxwp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B15A47E239E853CDB9D132E9D7CC" cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" yutdzcdxwp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2640 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 2784 yutdzcdxwp.exe 2784 yutdzcdxwp.exe 2784 yutdzcdxwp.exe 2784 yutdzcdxwp.exe 2784 yutdzcdxwp.exe 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 2880 znillyioathczsl.exe 2880 znillyioathczsl.exe 2880 znillyioathczsl.exe 2880 znillyioathczsl.exe 2880 znillyioathczsl.exe 2848 ooljcsej.exe 2848 ooljcsej.exe 2848 ooljcsej.exe 2848 ooljcsej.exe 2812 ffrapicsnadth.exe 2812 ffrapicsnadth.exe 2812 ffrapicsnadth.exe 2812 ffrapicsnadth.exe 2812 ffrapicsnadth.exe 2812 ffrapicsnadth.exe 2676 ooljcsej.exe 2676 ooljcsej.exe 2676 ooljcsej.exe 2676 ooljcsej.exe 2880 znillyioathczsl.exe 2880 znillyioathczsl.exe 2812 ffrapicsnadth.exe 2812 ffrapicsnadth.exe 2880 znillyioathczsl.exe 2812 ffrapicsnadth.exe 2812 ffrapicsnadth.exe 2880 znillyioathczsl.exe 2812 ffrapicsnadth.exe 2812 ffrapicsnadth.exe 2880 znillyioathczsl.exe 2812 ffrapicsnadth.exe 2812 ffrapicsnadth.exe 2880 znillyioathczsl.exe 2812 ffrapicsnadth.exe 2812 ffrapicsnadth.exe 2880 znillyioathczsl.exe 2812 ffrapicsnadth.exe 2812 ffrapicsnadth.exe 2880 znillyioathczsl.exe 2812 ffrapicsnadth.exe 2812 ffrapicsnadth.exe 2880 znillyioathczsl.exe 2812 ffrapicsnadth.exe 2812 ffrapicsnadth.exe 2880 znillyioathczsl.exe 2812 ffrapicsnadth.exe 2812 ffrapicsnadth.exe 2880 znillyioathczsl.exe 2812 ffrapicsnadth.exe 2812 ffrapicsnadth.exe 2880 znillyioathczsl.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 2784 yutdzcdxwp.exe 2784 yutdzcdxwp.exe 2784 yutdzcdxwp.exe 2880 znillyioathczsl.exe 2880 znillyioathczsl.exe 2880 znillyioathczsl.exe 2848 ooljcsej.exe 2848 ooljcsej.exe 2848 ooljcsej.exe 2812 ffrapicsnadth.exe 2812 ffrapicsnadth.exe 2812 ffrapicsnadth.exe 2676 ooljcsej.exe 2676 ooljcsej.exe 2676 ooljcsej.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 2784 yutdzcdxwp.exe 2784 yutdzcdxwp.exe 2784 yutdzcdxwp.exe 2880 znillyioathczsl.exe 2880 znillyioathczsl.exe 2880 znillyioathczsl.exe 2848 ooljcsej.exe 2848 ooljcsej.exe 2848 ooljcsej.exe 2812 ffrapicsnadth.exe 2812 ffrapicsnadth.exe 2812 ffrapicsnadth.exe 2676 ooljcsej.exe 2676 ooljcsej.exe 2676 ooljcsej.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2640 WINWORD.EXE 2640 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2784 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 29 PID 2556 wrote to memory of 2784 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 29 PID 2556 wrote to memory of 2784 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 29 PID 2556 wrote to memory of 2784 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 29 PID 2556 wrote to memory of 2880 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 30 PID 2556 wrote to memory of 2880 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 30 PID 2556 wrote to memory of 2880 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 30 PID 2556 wrote to memory of 2880 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 30 PID 2556 wrote to memory of 2848 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 31 PID 2556 wrote to memory of 2848 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 31 PID 2556 wrote to memory of 2848 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 31 PID 2556 wrote to memory of 2848 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 31 PID 2556 wrote to memory of 2812 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 32 PID 2556 wrote to memory of 2812 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 32 PID 2556 wrote to memory of 2812 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 32 PID 2556 wrote to memory of 2812 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 32 PID 2784 wrote to memory of 2676 2784 yutdzcdxwp.exe 33 PID 2784 wrote to memory of 2676 2784 yutdzcdxwp.exe 33 PID 2784 wrote to memory of 2676 2784 yutdzcdxwp.exe 33 PID 2784 wrote to memory of 2676 2784 yutdzcdxwp.exe 33 PID 2556 wrote to memory of 2640 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 34 PID 2556 wrote to memory of 2640 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 34 PID 2556 wrote to memory of 2640 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 34 PID 2556 wrote to memory of 2640 2556 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 34 PID 2640 wrote to memory of 1996 2640 WINWORD.EXE 36 PID 2640 wrote to memory of 1996 2640 WINWORD.EXE 36 PID 2640 wrote to memory of 1996 2640 WINWORD.EXE 36 PID 2640 wrote to memory of 1996 2640 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\yutdzcdxwp.exeyutdzcdxwp.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\ooljcsej.exeC:\Windows\system32\ooljcsej.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2676
-
-
-
C:\Windows\SysWOW64\znillyioathczsl.exeznillyioathczsl.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2880
-
-
C:\Windows\SysWOW64\ooljcsej.exeooljcsej.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2848
-
-
C:\Windows\SysWOW64\ffrapicsnadth.exeffrapicsnadth.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2812
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1996
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD50b5e34c8c8b7b9c4f59f7af01c7e5e93
SHA1aeea2944f0a7378fc803a0cc893fd7d8ce7d7d55
SHA256da549eb45402b34e7bda9374d50a1a771657528ea8897ecca4717c6369144a4e
SHA51291f1bd72166e3bfcdcf48c7c7dfcdb27552651505a591cbb03eb9983d400c152dd1df0c5dbf69dd47caad1aed9dc5872dd03ce8d31919a62d86fda74a7b903ac
-
Filesize
19KB
MD535b7d137033b4c9bbe88ed4b07e8fb4e
SHA19c41d9e83f44c3b026e477a37a4f42ee126f47bd
SHA256cef5ebef61ad9246a5ef0c26cf5324b88a647d4f2fcb792a5be14f6eeb4e5b03
SHA5123b2d0a65f873ddd869820e30b0fe434a0c67264db6cafc53fdb02f2d785d527c0cbaaff8ed20eeac0e494f7f26b6cc0a61d9c16ef1927dceac4c1aa84998bca3
-
Filesize
512KB
MD5a7ff3ace30a54fb7ee6c8fd5161ccf0b
SHA1f4cf64fae4e357d62ad861b1446b7e37aa46af8f
SHA2565a92df8e8d3feb82c67537b9aa72c6536f5c4b7b50c4efc261e4ec7606158264
SHA512fcadb8bc48cd5a23b72fc62edaf27d8a59d5bc0f3f5fa73c660ba1ad3c1d6ed18c53efea6dfc85ba81ce614562b187ef1ef4814d26008169a66fc70d56b64101
-
Filesize
512KB
MD51e28c66fb5d10141f12ef867a78fda58
SHA122fcffbd4f69d77dab9040157e2ee7b75b7f3353
SHA25632fbbe51256ec9dc03a229f6f617d9637f8b780d729369defb0b6908e3e293ff
SHA51297cf770780bd9bc8be3fb09bb28a660bae3a419394a286a30d15ff97ea2d12082da14f14c4665c7839917eb513a91c05da4728e97f4d00a40de4a508f5d17a77
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD57511d087ff5cbccf4f0bd3430bf26fdd
SHA11f71b109fac49df02412c52cbbdbefe3a23be524
SHA256c6559be49f702d932727ee8f9ac8dc0622532532fe460680cda16f200e8c5961
SHA512ad2ffbc9f3af84123ee3f6b9c938241d5c41d2d7e1ea521334093d934b705a9d2ffd37e0971cf48fd83c86ed709614ecd05d0beec2f99703e0ff489198cd2ebb
-
Filesize
512KB
MD54661809d6a739712aa22377f09af8133
SHA1de0de7adf495192d5eed4beaf2addd3acc3ee39b
SHA2566f768f8d4c9df9e8417167e5591b714c0f06fcdb93975197c0ddbec26828a0a1
SHA512df66e1a9a33f58d7ad6a3539f3327208c176d7c9c4cba158b5ce4c6fefa7e85121a48d24bcba71dc74521c1e8bc73bf8a4598818359ed6545a92ac8b72d4721e