Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 09:14
Static task
static1
Behavioral task
behavioral1
Sample
d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe
-
Size
512KB
-
MD5
d604b476e25e617d82cba2ec70e61d09
-
SHA1
2fff18e9d8bf2d8a6ea0de48ab624bb39effc152
-
SHA256
ad2ef716bc4533dc33cdffbb9e1f3338bbefe12d671438f3af72324341ba3f86
-
SHA512
df87bbc710cc7b0acb4e3ddc6a4b46ac20859db1dcc93f2febcc40a3124f12336bf1bbcad2a56cf38f8e566de2e0144f62c0a125108b4de04aeb838cc9c9b4d6
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6j:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5u
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" pqwygtdugk.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pqwygtdugk.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pqwygtdugk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pqwygtdugk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pqwygtdugk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" pqwygtdugk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pqwygtdugk.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pqwygtdugk.exe -
Executes dropped EXE 5 IoCs
pid Process 2716 pqwygtdugk.exe 2568 ptaevnytidcpglg.exe 2092 khdcraej.exe 2660 hzfdchexcuxpo.exe 2512 khdcraej.exe -
Loads dropped DLL 5 IoCs
pid Process 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2716 pqwygtdugk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pqwygtdugk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pqwygtdugk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pqwygtdugk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" pqwygtdugk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pqwygtdugk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" pqwygtdugk.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sxcbcnph = "pqwygtdugk.exe" ptaevnytidcpglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yyfudjgo = "ptaevnytidcpglg.exe" ptaevnytidcpglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hzfdchexcuxpo.exe" ptaevnytidcpglg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\t: pqwygtdugk.exe File opened (read-only) \??\a: khdcraej.exe File opened (read-only) \??\k: pqwygtdugk.exe File opened (read-only) \??\q: pqwygtdugk.exe File opened (read-only) \??\k: khdcraej.exe File opened (read-only) \??\y: khdcraej.exe File opened (read-only) \??\j: pqwygtdugk.exe File opened (read-only) \??\x: pqwygtdugk.exe File opened (read-only) \??\b: khdcraej.exe File opened (read-only) \??\l: khdcraej.exe File opened (read-only) \??\r: khdcraej.exe File opened (read-only) \??\u: pqwygtdugk.exe File opened (read-only) \??\m: pqwygtdugk.exe File opened (read-only) \??\v: pqwygtdugk.exe File opened (read-only) \??\t: khdcraej.exe File opened (read-only) \??\z: khdcraej.exe File opened (read-only) \??\e: khdcraej.exe File opened (read-only) \??\x: khdcraej.exe File opened (read-only) \??\g: pqwygtdugk.exe File opened (read-only) \??\o: pqwygtdugk.exe File opened (read-only) \??\y: pqwygtdugk.exe File opened (read-only) \??\w: khdcraej.exe File opened (read-only) \??\r: khdcraej.exe File opened (read-only) \??\e: pqwygtdugk.exe File opened (read-only) \??\m: khdcraej.exe File opened (read-only) \??\l: khdcraej.exe File opened (read-only) \??\q: khdcraej.exe File opened (read-only) \??\v: khdcraej.exe File opened (read-only) \??\s: pqwygtdugk.exe File opened (read-only) \??\g: khdcraej.exe File opened (read-only) \??\p: khdcraej.exe File opened (read-only) \??\p: khdcraej.exe File opened (read-only) \??\h: khdcraej.exe File opened (read-only) \??\b: khdcraej.exe File opened (read-only) \??\j: khdcraej.exe File opened (read-only) \??\a: pqwygtdugk.exe File opened (read-only) \??\q: khdcraej.exe File opened (read-only) \??\s: khdcraej.exe File opened (read-only) \??\z: pqwygtdugk.exe File opened (read-only) \??\o: khdcraej.exe File opened (read-only) \??\s: khdcraej.exe File opened (read-only) \??\u: khdcraej.exe File opened (read-only) \??\b: pqwygtdugk.exe File opened (read-only) \??\v: khdcraej.exe File opened (read-only) \??\x: khdcraej.exe File opened (read-only) \??\m: khdcraej.exe File opened (read-only) \??\l: pqwygtdugk.exe File opened (read-only) \??\n: khdcraej.exe File opened (read-only) \??\h: khdcraej.exe File opened (read-only) \??\n: pqwygtdugk.exe File opened (read-only) \??\r: pqwygtdugk.exe File opened (read-only) \??\j: khdcraej.exe File opened (read-only) \??\n: khdcraej.exe File opened (read-only) \??\i: pqwygtdugk.exe File opened (read-only) \??\y: khdcraej.exe File opened (read-only) \??\h: pqwygtdugk.exe File opened (read-only) \??\w: pqwygtdugk.exe File opened (read-only) \??\a: khdcraej.exe File opened (read-only) \??\o: khdcraej.exe File opened (read-only) \??\t: khdcraej.exe File opened (read-only) \??\w: khdcraej.exe File opened (read-only) \??\p: pqwygtdugk.exe File opened (read-only) \??\g: khdcraej.exe File opened (read-only) \??\i: khdcraej.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" pqwygtdugk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" pqwygtdugk.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2080-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0008000000014b47-5.dat autoit_exe behavioral1/files/0x000b0000000120f6-17.dat autoit_exe behavioral1/files/0x0008000000014bb1-28.dat autoit_exe behavioral1/files/0x0008000000014bf3-33.dat autoit_exe behavioral1/files/0x0006000000015e48-67.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\ptaevnytidcpglg.exe d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe File created C:\Windows\SysWOW64\khdcraej.exe d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hzfdchexcuxpo.exe d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll pqwygtdugk.exe File created C:\Windows\SysWOW64\pqwygtdugk.exe d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ptaevnytidcpglg.exe d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\khdcraej.exe d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe File created C:\Windows\SysWOW64\hzfdchexcuxpo.exe d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pqwygtdugk.exe d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe khdcraej.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe khdcraej.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal khdcraej.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe khdcraej.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal khdcraej.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe khdcraej.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe khdcraej.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe khdcraej.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe khdcraej.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe khdcraej.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe khdcraej.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal khdcraej.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal khdcraej.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe khdcraej.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hzfdchexcuxpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khdcraej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pqwygtdugk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptaevnytidcpglg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khdcraej.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg pqwygtdugk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" pqwygtdugk.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh pqwygtdugk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf pqwygtdugk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" pqwygtdugk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs pqwygtdugk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" pqwygtdugk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5F9B0F917F1E5840F3B3081EB3E95B0FD02F043120239E1C942EC08D4" d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B15B4795399A52CCBAD332E9D7CC" d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FC8D4826856E9142D72F7D90BCE5E1315842664F623ED79B" d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C77815E4DBBEB8C07C97EDE034C6" d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" pqwygtdugk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc pqwygtdugk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432D799D5582566A4477D470222DDB7DF264AD" d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" pqwygtdugk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F268C4FE6721DAD273D0A08B799162" d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat pqwygtdugk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" pqwygtdugk.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2532 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2716 pqwygtdugk.exe 2716 pqwygtdugk.exe 2716 pqwygtdugk.exe 2716 pqwygtdugk.exe 2716 pqwygtdugk.exe 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2568 ptaevnytidcpglg.exe 2568 ptaevnytidcpglg.exe 2568 ptaevnytidcpglg.exe 2568 ptaevnytidcpglg.exe 2568 ptaevnytidcpglg.exe 2092 khdcraej.exe 2092 khdcraej.exe 2092 khdcraej.exe 2092 khdcraej.exe 2660 hzfdchexcuxpo.exe 2660 hzfdchexcuxpo.exe 2660 hzfdchexcuxpo.exe 2660 hzfdchexcuxpo.exe 2660 hzfdchexcuxpo.exe 2660 hzfdchexcuxpo.exe 2512 khdcraej.exe 2512 khdcraej.exe 2512 khdcraej.exe 2512 khdcraej.exe 2568 ptaevnytidcpglg.exe 2660 hzfdchexcuxpo.exe 2660 hzfdchexcuxpo.exe 2568 ptaevnytidcpglg.exe 2568 ptaevnytidcpglg.exe 2660 hzfdchexcuxpo.exe 2660 hzfdchexcuxpo.exe 2568 ptaevnytidcpglg.exe 2660 hzfdchexcuxpo.exe 2660 hzfdchexcuxpo.exe 2568 ptaevnytidcpglg.exe 2660 hzfdchexcuxpo.exe 2660 hzfdchexcuxpo.exe 2568 ptaevnytidcpglg.exe 2660 hzfdchexcuxpo.exe 2660 hzfdchexcuxpo.exe 2568 ptaevnytidcpglg.exe 2660 hzfdchexcuxpo.exe 2660 hzfdchexcuxpo.exe 2568 ptaevnytidcpglg.exe 2660 hzfdchexcuxpo.exe 2660 hzfdchexcuxpo.exe 2568 ptaevnytidcpglg.exe 2660 hzfdchexcuxpo.exe 2660 hzfdchexcuxpo.exe 2568 ptaevnytidcpglg.exe 2660 hzfdchexcuxpo.exe 2660 hzfdchexcuxpo.exe 2568 ptaevnytidcpglg.exe 2660 hzfdchexcuxpo.exe 2660 hzfdchexcuxpo.exe 2568 ptaevnytidcpglg.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2716 pqwygtdugk.exe 2716 pqwygtdugk.exe 2716 pqwygtdugk.exe 2568 ptaevnytidcpglg.exe 2568 ptaevnytidcpglg.exe 2568 ptaevnytidcpglg.exe 2092 khdcraej.exe 2092 khdcraej.exe 2092 khdcraej.exe 2660 hzfdchexcuxpo.exe 2660 hzfdchexcuxpo.exe 2660 hzfdchexcuxpo.exe 2512 khdcraej.exe 2512 khdcraej.exe 2512 khdcraej.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2716 pqwygtdugk.exe 2716 pqwygtdugk.exe 2716 pqwygtdugk.exe 2568 ptaevnytidcpglg.exe 2568 ptaevnytidcpglg.exe 2568 ptaevnytidcpglg.exe 2092 khdcraej.exe 2092 khdcraej.exe 2092 khdcraej.exe 2660 hzfdchexcuxpo.exe 2660 hzfdchexcuxpo.exe 2660 hzfdchexcuxpo.exe 2512 khdcraej.exe 2512 khdcraej.exe 2512 khdcraej.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2532 WINWORD.EXE 2532 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2716 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 28 PID 2080 wrote to memory of 2716 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 28 PID 2080 wrote to memory of 2716 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 28 PID 2080 wrote to memory of 2716 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 28 PID 2080 wrote to memory of 2568 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 29 PID 2080 wrote to memory of 2568 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 29 PID 2080 wrote to memory of 2568 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 29 PID 2080 wrote to memory of 2568 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 29 PID 2080 wrote to memory of 2092 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2092 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2092 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2092 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2660 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 31 PID 2080 wrote to memory of 2660 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 31 PID 2080 wrote to memory of 2660 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 31 PID 2080 wrote to memory of 2660 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 31 PID 2716 wrote to memory of 2512 2716 pqwygtdugk.exe 32 PID 2716 wrote to memory of 2512 2716 pqwygtdugk.exe 32 PID 2716 wrote to memory of 2512 2716 pqwygtdugk.exe 32 PID 2716 wrote to memory of 2512 2716 pqwygtdugk.exe 32 PID 2080 wrote to memory of 2532 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 33 PID 2080 wrote to memory of 2532 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 33 PID 2080 wrote to memory of 2532 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 33 PID 2080 wrote to memory of 2532 2080 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 33 PID 2532 wrote to memory of 1780 2532 WINWORD.EXE 37 PID 2532 wrote to memory of 1780 2532 WINWORD.EXE 37 PID 2532 wrote to memory of 1780 2532 WINWORD.EXE 37 PID 2532 wrote to memory of 1780 2532 WINWORD.EXE 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\pqwygtdugk.exepqwygtdugk.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\khdcraej.exeC:\Windows\system32\khdcraej.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2512
-
-
-
C:\Windows\SysWOW64\ptaevnytidcpglg.exeptaevnytidcpglg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2568
-
-
C:\Windows\SysWOW64\khdcraej.exekhdcraej.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2092
-
-
C:\Windows\SysWOW64\hzfdchexcuxpo.exehzfdchexcuxpo.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2660
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1780
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD50363d17301a65299995c77ed3476d62d
SHA1a5579d81d8f6d2e0ab34ed5650841ffcf8df2723
SHA256ee388800fe3469ab6f534515aadedf6e162a6bf2f20c98e351799a8263a3acc2
SHA5127c89da9ddf15893a3f8b993f7f0facb98d9d0890a7856dfac3a440e2ecf44ecf6e7c87a80bfa754f1b73df593e793cee484c0aaab5b48f2fdcdd15cb8c74a625
-
Filesize
512KB
MD52a7cf6bd4d0b5842523154c8063dfcdd
SHA1f07b3a02925ebcaaf96534556348a92ff7d60bc0
SHA256370a97eb66a903feeadd24b67bb82fad9178201ea591c28efb3074653a933dcb
SHA5123e4b0001eaeff1a6f3131370f9c0980105a4bccddefb2f32ec07aa280537d42fbaeda071bbd390ba7533f28062efc98a8846d66da8af5b4cd287646b81fdd905
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5d42b88c4e2fca3270354ceb49aef9a6a
SHA175b7eca4a917702f342650461e1c8542a741754b
SHA256579ffbbd35ae83dd4cb733809cd281b4d381ab59797f9c528021190c2205a20a
SHA5120ad053f5ab315c8fc4405161500c6e4325a28c8c3ad7d7fb1c4b87c6c6c44665128a03e06b168de68a7514ad0e4d64035c8129d55f41938c6d437eefdcc97434
-
Filesize
512KB
MD573581cf477c778abb997abeb6097d78e
SHA1965d65898bfbadd0e1b98d0ee54780a1b6608aa7
SHA256ceb7f119f3efe1475ca2a8489932d80b8f365402ae57e78acd352874b630d024
SHA5125908f837a5ad324152399f670104fd177831182ace1c967f79c981f47cbd7294d138aefe70c74f3944c6e1ff967dbbd9710a3f25563acc2925159ae6084fd212
-
Filesize
512KB
MD5ca16b4a08941c831dd0d6b69f49cd4db
SHA10f070ed2952d7af4d8efe5624d65ec7e0adaca7e
SHA25672d4d9d5590b46e78a184aa7bc9b5564790671e1185007e934c0530ee754fe5d
SHA512fedde7a72ccf7ad263088b2ad7b0cb275dca04e1e3b57313a6dcd4c9690e5d6dce7e48161c4dc0a609cce8f5d19cd7e7e962444c677f482ce9da38f56343d067
-
Filesize
512KB
MD5cda8fac87687c426e0fc0ff3d56d3f5e
SHA1b29183920a1833cd3e25e725d611191aa249efe7
SHA256586035b19cb3d99a3a74ff82df7b2a92808ea7f1d9e7e86c03216e46dc68cfca
SHA512f9a008e95c3e40f16bc600225c20702afec1afef4736c3a1cf1284c91228e6b85eada05392ca6561e6ed793196f3377b4d928548631a6debaba2a699035f8c09