Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 22:44
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
28 signatures
150 seconds
General
-
Target
d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
-
Size
512KB
-
MD5
d538e33e460f736d6748f866ee31fdc6
-
SHA1
2b5cf80c58d6bc905c11f9374ecc64f962aa5b6a
-
SHA256
7fd5992c88194526a13050960d694f1b637d8a87b9d845e9a4b0d3c47560174b
-
SHA512
7ca6d93548f247d0cf08cca98b1dbcabfd93ecddb5dcd33ac631ae296ab03f6711a01f46800e32650321686d798210b2026ff45023424cfc369b25e84114711f
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6A:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5B
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" zxqwhahbhl.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zxqwhahbhl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zxqwhahbhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zxqwhahbhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zxqwhahbhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zxqwhahbhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zxqwhahbhl.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zxqwhahbhl.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3036 zxqwhahbhl.exe 4536 cehfxylrxncqdzb.exe 1308 wpisxwhg.exe 4812 ohdrsosgadjrs.exe 4392 wpisxwhg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zxqwhahbhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zxqwhahbhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zxqwhahbhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" zxqwhahbhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zxqwhahbhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zxqwhahbhl.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zueqrbij = "zxqwhahbhl.exe" cehfxylrxncqdzb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hjnjicnj = "cehfxylrxncqdzb.exe" cehfxylrxncqdzb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ohdrsosgadjrs.exe" cehfxylrxncqdzb.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: wpisxwhg.exe File opened (read-only) \??\e: wpisxwhg.exe File opened (read-only) \??\b: wpisxwhg.exe File opened (read-only) \??\h: wpisxwhg.exe File opened (read-only) \??\y: zxqwhahbhl.exe File opened (read-only) \??\a: wpisxwhg.exe File opened (read-only) \??\v: wpisxwhg.exe File opened (read-only) \??\v: zxqwhahbhl.exe File opened (read-only) \??\s: wpisxwhg.exe File opened (read-only) \??\x: wpisxwhg.exe File opened (read-only) \??\p: wpisxwhg.exe File opened (read-only) \??\q: wpisxwhg.exe File opened (read-only) \??\y: wpisxwhg.exe File opened (read-only) \??\n: zxqwhahbhl.exe File opened (read-only) \??\r: zxqwhahbhl.exe File opened (read-only) \??\z: wpisxwhg.exe File opened (read-only) \??\j: wpisxwhg.exe File opened (read-only) \??\l: wpisxwhg.exe File opened (read-only) \??\k: zxqwhahbhl.exe File opened (read-only) \??\r: wpisxwhg.exe File opened (read-only) \??\z: wpisxwhg.exe File opened (read-only) \??\w: zxqwhahbhl.exe File opened (read-only) \??\x: zxqwhahbhl.exe File opened (read-only) \??\r: wpisxwhg.exe File opened (read-only) \??\b: wpisxwhg.exe File opened (read-only) \??\i: wpisxwhg.exe File opened (read-only) \??\h: zxqwhahbhl.exe File opened (read-only) \??\n: wpisxwhg.exe File opened (read-only) \??\o: wpisxwhg.exe File opened (read-only) \??\w: wpisxwhg.exe File opened (read-only) \??\t: wpisxwhg.exe File opened (read-only) \??\u: zxqwhahbhl.exe File opened (read-only) \??\x: wpisxwhg.exe File opened (read-only) \??\i: zxqwhahbhl.exe File opened (read-only) \??\j: zxqwhahbhl.exe File opened (read-only) \??\m: zxqwhahbhl.exe File opened (read-only) \??\o: zxqwhahbhl.exe File opened (read-only) \??\h: wpisxwhg.exe File opened (read-only) \??\m: wpisxwhg.exe File opened (read-only) \??\w: wpisxwhg.exe File opened (read-only) \??\g: wpisxwhg.exe File opened (read-only) \??\u: wpisxwhg.exe File opened (read-only) \??\z: zxqwhahbhl.exe File opened (read-only) \??\y: wpisxwhg.exe File opened (read-only) \??\e: zxqwhahbhl.exe File opened (read-only) \??\p: zxqwhahbhl.exe File opened (read-only) \??\t: zxqwhahbhl.exe File opened (read-only) \??\k: wpisxwhg.exe File opened (read-only) \??\a: wpisxwhg.exe File opened (read-only) \??\n: wpisxwhg.exe File opened (read-only) \??\l: zxqwhahbhl.exe File opened (read-only) \??\i: wpisxwhg.exe File opened (read-only) \??\g: wpisxwhg.exe File opened (read-only) \??\o: wpisxwhg.exe File opened (read-only) \??\b: zxqwhahbhl.exe File opened (read-only) \??\u: wpisxwhg.exe File opened (read-only) \??\q: wpisxwhg.exe File opened (read-only) \??\m: wpisxwhg.exe File opened (read-only) \??\p: wpisxwhg.exe File opened (read-only) \??\t: wpisxwhg.exe File opened (read-only) \??\s: wpisxwhg.exe File opened (read-only) \??\a: zxqwhahbhl.exe File opened (read-only) \??\g: zxqwhahbhl.exe File opened (read-only) \??\j: wpisxwhg.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" zxqwhahbhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" zxqwhahbhl.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/696-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023484-5.dat autoit_exe behavioral2/files/0x0008000000023483-18.dat autoit_exe behavioral2/files/0x0007000000023485-26.dat autoit_exe behavioral2/files/0x0007000000023486-32.dat autoit_exe behavioral2/files/0x000800000002346d-66.dat autoit_exe behavioral2/files/0x0007000000023492-71.dat autoit_exe behavioral2/files/0x0007000000023498-81.dat autoit_exe behavioral2/files/0x00070000000234a3-99.dat autoit_exe behavioral2/files/0x00070000000234a3-338.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\zxqwhahbhl.exe d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zxqwhahbhl.exe d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cehfxylrxncqdzb.exe d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe File created C:\Windows\SysWOW64\wpisxwhg.exe d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ohdrsosgadjrs.exe d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll zxqwhahbhl.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wpisxwhg.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wpisxwhg.exe File created C:\Windows\SysWOW64\cehfxylrxncqdzb.exe d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wpisxwhg.exe d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe File created C:\Windows\SysWOW64\ohdrsosgadjrs.exe d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wpisxwhg.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wpisxwhg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wpisxwhg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wpisxwhg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wpisxwhg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wpisxwhg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wpisxwhg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wpisxwhg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wpisxwhg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wpisxwhg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wpisxwhg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wpisxwhg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wpisxwhg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wpisxwhg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wpisxwhg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wpisxwhg.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wpisxwhg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wpisxwhg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wpisxwhg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wpisxwhg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wpisxwhg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wpisxwhg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wpisxwhg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wpisxwhg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wpisxwhg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wpisxwhg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wpisxwhg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wpisxwhg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wpisxwhg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wpisxwhg.exe File opened for modification C:\Windows\mydoc.rtf d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wpisxwhg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wpisxwhg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ohdrsosgadjrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpisxwhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zxqwhahbhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cehfxylrxncqdzb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpisxwhg.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFF8F485F82139042D7287E96BD95E133594367366245D6EE" d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc zxqwhahbhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf zxqwhahbhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg zxqwhahbhl.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C67B15ECDAB1B8CD7CE7ED9034BC" d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" zxqwhahbhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" zxqwhahbhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs zxqwhahbhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" zxqwhahbhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302D0B9D5782586A3476D1702E2CDC7D8664AC" d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDFAB1F965F1E484783A3186973E93B3FE02FA43120238E1CA45EA08A8" d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B02A47E7389A52BDB9D5329DD7BE" d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat zxqwhahbhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh zxqwhahbhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08068B0FE1822D9D172D0D38A099160" d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" zxqwhahbhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" zxqwhahbhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" zxqwhahbhl.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 724 WINWORD.EXE 724 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 3036 zxqwhahbhl.exe 3036 zxqwhahbhl.exe 3036 zxqwhahbhl.exe 3036 zxqwhahbhl.exe 3036 zxqwhahbhl.exe 3036 zxqwhahbhl.exe 3036 zxqwhahbhl.exe 3036 zxqwhahbhl.exe 3036 zxqwhahbhl.exe 3036 zxqwhahbhl.exe 4536 cehfxylrxncqdzb.exe 4536 cehfxylrxncqdzb.exe 4536 cehfxylrxncqdzb.exe 4536 cehfxylrxncqdzb.exe 4536 cehfxylrxncqdzb.exe 4536 cehfxylrxncqdzb.exe 4536 cehfxylrxncqdzb.exe 4536 cehfxylrxncqdzb.exe 1308 wpisxwhg.exe 1308 wpisxwhg.exe 1308 wpisxwhg.exe 1308 wpisxwhg.exe 1308 wpisxwhg.exe 1308 wpisxwhg.exe 1308 wpisxwhg.exe 1308 wpisxwhg.exe 4536 cehfxylrxncqdzb.exe 4536 cehfxylrxncqdzb.exe 4812 ohdrsosgadjrs.exe 4812 ohdrsosgadjrs.exe 4812 ohdrsosgadjrs.exe 4812 ohdrsosgadjrs.exe 4812 ohdrsosgadjrs.exe 4812 ohdrsosgadjrs.exe 4812 ohdrsosgadjrs.exe 4812 ohdrsosgadjrs.exe 4812 ohdrsosgadjrs.exe 4812 ohdrsosgadjrs.exe 4812 ohdrsosgadjrs.exe 4812 ohdrsosgadjrs.exe 4536 cehfxylrxncqdzb.exe 4536 cehfxylrxncqdzb.exe 4536 cehfxylrxncqdzb.exe 4536 cehfxylrxncqdzb.exe 4812 ohdrsosgadjrs.exe 4812 ohdrsosgadjrs.exe 4812 ohdrsosgadjrs.exe 4812 ohdrsosgadjrs.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 4536 cehfxylrxncqdzb.exe 3036 zxqwhahbhl.exe 4536 cehfxylrxncqdzb.exe 3036 zxqwhahbhl.exe 4536 cehfxylrxncqdzb.exe 3036 zxqwhahbhl.exe 1308 wpisxwhg.exe 1308 wpisxwhg.exe 1308 wpisxwhg.exe 4812 ohdrsosgadjrs.exe 4812 ohdrsosgadjrs.exe 4812 ohdrsosgadjrs.exe 4392 wpisxwhg.exe 4392 wpisxwhg.exe 4392 wpisxwhg.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 4536 cehfxylrxncqdzb.exe 3036 zxqwhahbhl.exe 4536 cehfxylrxncqdzb.exe 3036 zxqwhahbhl.exe 4536 cehfxylrxncqdzb.exe 3036 zxqwhahbhl.exe 1308 wpisxwhg.exe 1308 wpisxwhg.exe 1308 wpisxwhg.exe 4812 ohdrsosgadjrs.exe 4812 ohdrsosgadjrs.exe 4812 ohdrsosgadjrs.exe 4392 wpisxwhg.exe 4392 wpisxwhg.exe 4392 wpisxwhg.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 724 WINWORD.EXE 724 WINWORD.EXE 724 WINWORD.EXE 724 WINWORD.EXE 724 WINWORD.EXE 724 WINWORD.EXE 724 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 696 wrote to memory of 3036 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 84 PID 696 wrote to memory of 3036 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 84 PID 696 wrote to memory of 3036 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 84 PID 696 wrote to memory of 4536 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 85 PID 696 wrote to memory of 4536 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 85 PID 696 wrote to memory of 4536 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 85 PID 696 wrote to memory of 1308 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 86 PID 696 wrote to memory of 1308 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 86 PID 696 wrote to memory of 1308 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 86 PID 696 wrote to memory of 4812 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 87 PID 696 wrote to memory of 4812 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 87 PID 696 wrote to memory of 4812 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 87 PID 696 wrote to memory of 724 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 89 PID 696 wrote to memory of 724 696 d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe 89 PID 3036 wrote to memory of 4392 3036 zxqwhahbhl.exe 91 PID 3036 wrote to memory of 4392 3036 zxqwhahbhl.exe 91 PID 3036 wrote to memory of 4392 3036 zxqwhahbhl.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\zxqwhahbhl.exezxqwhahbhl.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\wpisxwhg.exeC:\Windows\system32\wpisxwhg.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4392
-
-
-
C:\Windows\SysWOW64\cehfxylrxncqdzb.execehfxylrxncqdzb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4536
-
-
C:\Windows\SysWOW64\wpisxwhg.exewpisxwhg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1308
-
-
C:\Windows\SysWOW64\ohdrsosgadjrs.exeohdrsosgadjrs.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4812
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:724
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5eb88729f34dca1e87af9e5450e3dd332
SHA1a175191cc634c57239071090dd51c1277ad10f42
SHA25622e0a2d1fa8800eab34eb1743814e30dd7654065e2a4d0a2826298f12c9b77da
SHA512c5fcd21fb1d1f2593df09354b1b39ada91f542fb176446943274bce6f0da4f47af0fdc4f52dc6270dccfdde536435d97490ae908e523746ea8ab48cb4f9b0e41
-
Filesize
512KB
MD553bfed680f65372fb1ea70177a1b8633
SHA1989dae3885619f2e27ed2110641b3480741ec8e1
SHA256694087600d045773f454f75519f3d290f23c6e617f63809a632a5a8072e6ef0a
SHA512f9304d2a76b3cde7c0d6fdc84113a25ea6ee20912fa310aa9c199bf5f402e5b057e8b2379bc964eee1fddc0f170202ea29a878cd3c10ff2d6973fb8367eb1f0f
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
315B
MD5492a0170d9361b1cc3391368ddd51387
SHA11731098c2fed7b0e22c7e8d2083419ee4012e312
SHA256da1e115b93bdd1a40c9be25e48872d267a7ef4080ca80c877bf236239faeab8b
SHA51217a1544b502081438caa81bf60e05d985c8495d1bbe572ac70aedf8c19a9e12adab420d704d9dd6cfffa0ee0bf030af81e1e88560748526b09df8e9452aff0fe
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5c5abdd2376733a86e370a42e34cff74d
SHA1c1a95e5b4d131afa1237840dcdf1a344ac8de05d
SHA2563a648a69f352646146c9279d96f2a77e342ad9b6256bf20fa0c59096873bd207
SHA5126cb6d390354446f5b16c388073a0456aac8f30eb11df0475427461a2719e5068e747035b339194c43f57d872cecc3ae45e8499894f9ee30ad621b1955521b45d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD5504522f50a80d5a092d8201ddd274469
SHA1e0687aa71624ddb3e0cf8132954c2a30e4bd157e
SHA25630cb9e2213f7b0b32835208c62f0ace4c133ed7dd832cf21ef7f8b0d519e8ba7
SHA512a7ea046f33088b9a66e6cdfa89bcce5ffcb4fd44051de5a7b8dcc46e2d10c10e971d58924035cbd39f433b07adc8619d20695a7014e583330d41e17997cc4bbd
-
Filesize
512KB
MD53b7e18da28b19a0c98cd32cabea268dd
SHA19cddf8d42a2b980a878898e94d31a3e2893b5e7a
SHA256da73117c0c9542d6e86683c2469b40941a39707c879b6c3714141c5535736938
SHA51215087568d3ee8caf0d577c5cb693b3a67357e8f504701b6cbd9bd54d1d7b605ef99d0c83e3b6e16f36d903aabf11c88b6df3b9e1f73242ba37031dbb58b7f14d
-
Filesize
512KB
MD5ea493ce7ab77a01d0a602dbfe54e98ac
SHA12dc0459ec67d2f66e7d6717ba16abcbb3e19a2cf
SHA2568bd93ed97dbc3ee1f51a9ba7fe3d36b514a955d76205717d39ba6cb3f82b4612
SHA512a04f2300af3cd33cc96d975c71a673bd559a73e60bd892851be3fe1d89093e4586063a5e3757d2de2c5445cc374b1a8d290dce1af6d7994ff62bf3b9448a7abb
-
Filesize
512KB
MD5cda387bbf22dc926ee9ad671958b41bf
SHA1efa385c5f6458e876fa36887cfd5526a3598f4ba
SHA2566f6762971fb2232a04cec3d5186bd9a95490020034310a32212514cb115db1ca
SHA512d66fca46cc41aca4a7037bbbb2cb5fe4792f88996147a7e9f77fdfd74fecb91073e4456495bfe1fe5ff9744d5573dc44d3c5434dbca606ae9b0c64fc22d51d8c
-
Filesize
512KB
MD5cf1fe28f1f513ab1784ca3e7a7d8ad8e
SHA1b53e4cf0c528c9edd2cf8bf39ff925600aee3d18
SHA25611b75e872eff3e20aef7e17f27826b79dac6f3ec061ed69927d8ee47548fffba
SHA512b75ecdc94ea26134af71eeb04346c67b1aa0bc97a7da6b3617ab2de66847c1177745a160f4b6d0662a709bdcb1f5cfce82c257810e3de5a286f491b9e2022595
-
Filesize
512KB
MD58d2c75977f5b86712cd966f4b6710209
SHA1b742c49ba2b3d9a21701f5debce95e46a75f19b7
SHA256a4462799c1cc1f95332505d5861a1103ea068866ab53be3682afff72da79e9bf
SHA5127d071353439d5f93409014ae2264b9755c1a56fe6e581de217cd7b0d63867193c081a5fb0475070e20d651bc397045a68df20ee6420cad5d6c8de2578770a5d2
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5a033ead5ba547d79cb20356bcfdf228a
SHA1d43c89ed4ef11ea58bca4f812faa70c911e71d77
SHA256c675b65aec8a6d4abf066f7c733ccda8972060ff555dceb331af074d533ed5ec
SHA512b6506350cc2b66c0d0375d5a4f7b163ae6cff98b4d9608510dcce6bb4646dd65e998c9380fbd54e70e17b6b6c4bb478a7b1a1bb06c853e99819fc293320285fe
-
Filesize
512KB
MD51d16d1387ff01db940891a76656a89dc
SHA1e66aff49fcd6b17198cbc4138c33860ccb0d9382
SHA256729dea69006f986adf63246321552439b669bdeee34a5624810458b974f0ce46
SHA51245677fe22dc055213251ada045636453d35fb336061498d97e822c87960d55245206011e5c581aecc96f380cf709f72a3af459a2e7abc3913dfb124a4e1d58fd