Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 09:14
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe
-
Size
512KB
-
MD5
d604b476e25e617d82cba2ec70e61d09
-
SHA1
2fff18e9d8bf2d8a6ea0de48ab624bb39effc152
-
SHA256
ad2ef716bc4533dc33cdffbb9e1f3338bbefe12d671438f3af72324341ba3f86
-
SHA512
df87bbc710cc7b0acb4e3ddc6a4b46ac20859db1dcc93f2febcc40a3124f12336bf1bbcad2a56cf38f8e566de2e0144f62c0a125108b4de04aeb838cc9c9b4d6
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6j:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5u
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" aadtotcdfa.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" aadtotcdfa.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" aadtotcdfa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" aadtotcdfa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" aadtotcdfa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" aadtotcdfa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" aadtotcdfa.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aadtotcdfa.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3412 aadtotcdfa.exe 2184 fbmtvbsakhsbgxw.exe 2444 rbllpgsn.exe 1720 oiintxnlqbxkz.exe 4792 rbllpgsn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" aadtotcdfa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" aadtotcdfa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" aadtotcdfa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" aadtotcdfa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" aadtotcdfa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" aadtotcdfa.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lwzpywky = "aadtotcdfa.exe" fbmtvbsakhsbgxw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qnvrfcps = "fbmtvbsakhsbgxw.exe" fbmtvbsakhsbgxw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "oiintxnlqbxkz.exe" fbmtvbsakhsbgxw.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: rbllpgsn.exe File opened (read-only) \??\l: rbllpgsn.exe File opened (read-only) \??\g: aadtotcdfa.exe File opened (read-only) \??\m: rbllpgsn.exe File opened (read-only) \??\j: rbllpgsn.exe File opened (read-only) \??\u: rbllpgsn.exe File opened (read-only) \??\r: rbllpgsn.exe File opened (read-only) \??\j: aadtotcdfa.exe File opened (read-only) \??\i: rbllpgsn.exe File opened (read-only) \??\k: rbllpgsn.exe File opened (read-only) \??\o: rbllpgsn.exe File opened (read-only) \??\p: rbllpgsn.exe File opened (read-only) \??\t: rbllpgsn.exe File opened (read-only) \??\b: aadtotcdfa.exe File opened (read-only) \??\q: aadtotcdfa.exe File opened (read-only) \??\t: aadtotcdfa.exe File opened (read-only) \??\s: rbllpgsn.exe File opened (read-only) \??\v: rbllpgsn.exe File opened (read-only) \??\s: rbllpgsn.exe File opened (read-only) \??\v: rbllpgsn.exe File opened (read-only) \??\l: aadtotcdfa.exe File opened (read-only) \??\u: aadtotcdfa.exe File opened (read-only) \??\e: rbllpgsn.exe File opened (read-only) \??\h: rbllpgsn.exe File opened (read-only) \??\n: rbllpgsn.exe File opened (read-only) \??\r: rbllpgsn.exe File opened (read-only) \??\z: rbllpgsn.exe File opened (read-only) \??\v: aadtotcdfa.exe File opened (read-only) \??\x: aadtotcdfa.exe File opened (read-only) \??\y: aadtotcdfa.exe File opened (read-only) \??\a: rbllpgsn.exe File opened (read-only) \??\x: rbllpgsn.exe File opened (read-only) \??\z: rbllpgsn.exe File opened (read-only) \??\o: rbllpgsn.exe File opened (read-only) \??\y: rbllpgsn.exe File opened (read-only) \??\i: aadtotcdfa.exe File opened (read-only) \??\b: rbllpgsn.exe File opened (read-only) \??\g: rbllpgsn.exe File opened (read-only) \??\z: aadtotcdfa.exe File opened (read-only) \??\p: rbllpgsn.exe File opened (read-only) \??\t: rbllpgsn.exe File opened (read-only) \??\y: rbllpgsn.exe File opened (read-only) \??\m: rbllpgsn.exe File opened (read-only) \??\w: rbllpgsn.exe File opened (read-only) \??\w: aadtotcdfa.exe File opened (read-only) \??\h: rbllpgsn.exe File opened (read-only) \??\j: rbllpgsn.exe File opened (read-only) \??\a: aadtotcdfa.exe File opened (read-only) \??\e: aadtotcdfa.exe File opened (read-only) \??\p: aadtotcdfa.exe File opened (read-only) \??\l: rbllpgsn.exe File opened (read-only) \??\w: rbllpgsn.exe File opened (read-only) \??\b: rbllpgsn.exe File opened (read-only) \??\n: rbllpgsn.exe File opened (read-only) \??\u: rbllpgsn.exe File opened (read-only) \??\h: aadtotcdfa.exe File opened (read-only) \??\m: aadtotcdfa.exe File opened (read-only) \??\s: aadtotcdfa.exe File opened (read-only) \??\i: rbllpgsn.exe File opened (read-only) \??\q: rbllpgsn.exe File opened (read-only) \??\o: aadtotcdfa.exe File opened (read-only) \??\a: rbllpgsn.exe File opened (read-only) \??\e: rbllpgsn.exe File opened (read-only) \??\x: rbllpgsn.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" aadtotcdfa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" aadtotcdfa.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4756-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000800000002344f-5.dat autoit_exe behavioral2/files/0x0007000000023453-28.dat autoit_exe behavioral2/files/0x0007000000023454-29.dat autoit_exe behavioral2/files/0x000b000000023444-20.dat autoit_exe behavioral2/files/0x0008000000023437-72.dat autoit_exe behavioral2/files/0x000700000002346c-96.dat autoit_exe behavioral2/files/0x000700000002346c-101.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\aadtotcdfa.exe d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\aadtotcdfa.exe d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe File created C:\Windows\SysWOW64\fbmtvbsakhsbgxw.exe d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fbmtvbsakhsbgxw.exe d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe File created C:\Windows\SysWOW64\rbllpgsn.exe d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rbllpgsn.exe d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe File created C:\Windows\SysWOW64\oiintxnlqbxkz.exe d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\oiintxnlqbxkz.exe d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll aadtotcdfa.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rbllpgsn.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rbllpgsn.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rbllpgsn.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rbllpgsn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rbllpgsn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rbllpgsn.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rbllpgsn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rbllpgsn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rbllpgsn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rbllpgsn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rbllpgsn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rbllpgsn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rbllpgsn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rbllpgsn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rbllpgsn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rbllpgsn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rbllpgsn.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rbllpgsn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rbllpgsn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rbllpgsn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rbllpgsn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rbllpgsn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rbllpgsn.exe File opened for modification C:\Windows\mydoc.rtf d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rbllpgsn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rbllpgsn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rbllpgsn.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rbllpgsn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rbllpgsn.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rbllpgsn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rbllpgsn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rbllpgsn.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rbllpgsn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rbllpgsn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aadtotcdfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbmtvbsakhsbgxw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oiintxnlqbxkz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rbllpgsn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rbllpgsn.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACAFACDF960F2E2840F3B4381983990B0FB02FC4212033BE1C945E809D4" d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B12847E239EE52CEBAD533EFD7C8" d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C67F14E4DBC0B8B97CE7EC9E37CA" d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" aadtotcdfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" aadtotcdfa.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFF8E4829851F903CD62F7DE2BDE1E6335945664F6335D69E" d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" aadtotcdfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" aadtotcdfa.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD68B2FF6E22D8D179D1A98A0B9063" d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat aadtotcdfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf aadtotcdfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" aadtotcdfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg aadtotcdfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422C799C2D82206A3377D470252CDA7DF164D8" d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh aadtotcdfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc aadtotcdfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" aadtotcdfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs aadtotcdfa.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3440 WINWORD.EXE 3440 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2184 fbmtvbsakhsbgxw.exe 2184 fbmtvbsakhsbgxw.exe 2184 fbmtvbsakhsbgxw.exe 2184 fbmtvbsakhsbgxw.exe 2184 fbmtvbsakhsbgxw.exe 2184 fbmtvbsakhsbgxw.exe 2184 fbmtvbsakhsbgxw.exe 2184 fbmtvbsakhsbgxw.exe 3412 aadtotcdfa.exe 3412 aadtotcdfa.exe 3412 aadtotcdfa.exe 3412 aadtotcdfa.exe 3412 aadtotcdfa.exe 3412 aadtotcdfa.exe 3412 aadtotcdfa.exe 3412 aadtotcdfa.exe 3412 aadtotcdfa.exe 3412 aadtotcdfa.exe 2184 fbmtvbsakhsbgxw.exe 2184 fbmtvbsakhsbgxw.exe 1720 oiintxnlqbxkz.exe 1720 oiintxnlqbxkz.exe 1720 oiintxnlqbxkz.exe 1720 oiintxnlqbxkz.exe 1720 oiintxnlqbxkz.exe 1720 oiintxnlqbxkz.exe 1720 oiintxnlqbxkz.exe 1720 oiintxnlqbxkz.exe 1720 oiintxnlqbxkz.exe 1720 oiintxnlqbxkz.exe 1720 oiintxnlqbxkz.exe 1720 oiintxnlqbxkz.exe 2444 rbllpgsn.exe 2444 rbllpgsn.exe 2444 rbllpgsn.exe 2444 rbllpgsn.exe 2444 rbllpgsn.exe 2444 rbllpgsn.exe 2444 rbllpgsn.exe 2444 rbllpgsn.exe 4792 rbllpgsn.exe 4792 rbllpgsn.exe 4792 rbllpgsn.exe 4792 rbllpgsn.exe 4792 rbllpgsn.exe 4792 rbllpgsn.exe 4792 rbllpgsn.exe 4792 rbllpgsn.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2184 fbmtvbsakhsbgxw.exe 2184 fbmtvbsakhsbgxw.exe 2184 fbmtvbsakhsbgxw.exe 3412 aadtotcdfa.exe 3412 aadtotcdfa.exe 3412 aadtotcdfa.exe 1720 oiintxnlqbxkz.exe 1720 oiintxnlqbxkz.exe 1720 oiintxnlqbxkz.exe 2444 rbllpgsn.exe 2444 rbllpgsn.exe 2444 rbllpgsn.exe 4792 rbllpgsn.exe 4792 rbllpgsn.exe 4792 rbllpgsn.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 2184 fbmtvbsakhsbgxw.exe 2184 fbmtvbsakhsbgxw.exe 2184 fbmtvbsakhsbgxw.exe 3412 aadtotcdfa.exe 3412 aadtotcdfa.exe 3412 aadtotcdfa.exe 1720 oiintxnlqbxkz.exe 1720 oiintxnlqbxkz.exe 1720 oiintxnlqbxkz.exe 2444 rbllpgsn.exe 2444 rbllpgsn.exe 2444 rbllpgsn.exe 4792 rbllpgsn.exe 4792 rbllpgsn.exe 4792 rbllpgsn.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3440 WINWORD.EXE 3440 WINWORD.EXE 3440 WINWORD.EXE 3440 WINWORD.EXE 3440 WINWORD.EXE 3440 WINWORD.EXE 3440 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4756 wrote to memory of 3412 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 87 PID 4756 wrote to memory of 3412 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 87 PID 4756 wrote to memory of 3412 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 87 PID 4756 wrote to memory of 2184 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 88 PID 4756 wrote to memory of 2184 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 88 PID 4756 wrote to memory of 2184 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 88 PID 4756 wrote to memory of 2444 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 89 PID 4756 wrote to memory of 2444 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 89 PID 4756 wrote to memory of 2444 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 89 PID 4756 wrote to memory of 1720 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 90 PID 4756 wrote to memory of 1720 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 90 PID 4756 wrote to memory of 1720 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 90 PID 3412 wrote to memory of 4792 3412 aadtotcdfa.exe 91 PID 3412 wrote to memory of 4792 3412 aadtotcdfa.exe 91 PID 3412 wrote to memory of 4792 3412 aadtotcdfa.exe 91 PID 4756 wrote to memory of 3440 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 92 PID 4756 wrote to memory of 3440 4756 d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d604b476e25e617d82cba2ec70e61d09_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\aadtotcdfa.exeaadtotcdfa.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\rbllpgsn.exeC:\Windows\system32\rbllpgsn.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4792
-
-
-
C:\Windows\SysWOW64\fbmtvbsakhsbgxw.exefbmtvbsakhsbgxw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2184
-
-
C:\Windows\SysWOW64\rbllpgsn.exerbllpgsn.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2444
-
-
C:\Windows\SysWOW64\oiintxnlqbxkz.exeoiintxnlqbxkz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1720
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3440
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD570eaa6fc1e50fd2c293edcbdbc37c9e8
SHA119fd67cca86402c706c07da418e7b94b826e879b
SHA25663f54719bb831a28446a47398ab1c17299c4a3f84cefb9e23c9fd26db927cb54
SHA512205ece84995803d5e898f719e1c55aedb4a5191ac41ea344db3e9b334f1f21aca86db8e8f33134800244aec49f64ea523c28ea221ef75469813e91c0f8614912
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
299B
MD53a8fb4c0dc81c0838a48f448093485bf
SHA1267ca041b1fcf944b11eb137e4fceec1d61eaff7
SHA25645168b78832d0982c82b75f2f4f56125198fe54355370cf81aabe10d9ea1ed1b
SHA512ef3d927cffdebbf586930c248ee75f1cecd9d215428f702180e083c8343f8a2e154bc711d68b0ecd40b3d81d8a9b7f6a58c00fd058b312f979e8d453ff43e908
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize678B
MD556712a1cbef31dab3385fb26bbd85229
SHA1edd4e6ed8da1dc021aadd8f8df91f6fa66a3e575
SHA2560c5fbf81673881f81a0b1dc2c37acf6e072d098a7543c8ac9fd877d2ce18a0e9
SHA5128c32698a0805cac73dbe2f1cf49767720eb995dd7bab441fc1d380ab65985a41022ef108590f2b9ecd73359496b58bee6fe29e96d75d994ff95426190cbf1231
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD53b8e15a24d422b8437dd37a3e3965be6
SHA1dc7f286d1d7ff14af08cbd18c63cc675401bba7b
SHA2561b80bd9ce07d377dba235cf06503c077c8712df06cd8b64b8373b889adb48995
SHA51244bfe8beb88f92ac89b41549ba7f9b9d3aec035d525b8e4cbb41ef6348f65e96aa72305df0d3bf6057b443077af8ce0ea08873cfd5ca474af2417d4e2b5d58d8
-
Filesize
512KB
MD5ad1f882ddc9fa1fdf8c93f668bb62350
SHA1b503cc059f0ebfd7357d0d14659463c8ee3d9b20
SHA256ddd4899a5e6f4390043f135e7e9651502c307a52aa7b1af0be7c7f29ecf7d30e
SHA51299b775f4ad937ed25ab543605832baa90f756a2747633d6d466e43213c412ed31869a4a10dd7be462cead1fa099fdb8ef04694d9831e1c513d2cc35912931fdb
-
Filesize
512KB
MD553a13634c1dbc70b5a30ec4735182650
SHA13b19dafb45aa13a74989af4cb5489927656afa6b
SHA2564e98104e655e0fd2e9d71516daf18c403e7c0b9a1a912aeaeb1e92c9fdcf6ea9
SHA5120013090c1bf8c2989ff5d1e29fefb9508fc4bf1ee403a233b8f3ef1cebb2b0b6346e874515aa2053815b719287a5151b393439534bbf25effb4e57d6583da206
-
Filesize
512KB
MD5b692020194ae9163a7622d897cd4d34e
SHA161ad583ad91a32170073bfc0b6f8e134c66d10ca
SHA256ca360ebebe249b86c6483be9320743cfdc43359cff8a1b626f9b2843b67a228f
SHA512c59a06d8c3ca2bd558ac5057d864f42b22a9bddc34e62f8b01ab6e7feaa4ce0141c9b61f0b961c5ee0625ba28f1dfdc2cdb8763dc5204212793c7e8b6799b52c
-
Filesize
512KB
MD55f16a10e5a486a2a88f209b9bccf26b2
SHA1aa2b195356c8597509b7cd837135e9fbf7f4de7c
SHA2568f86e16db668e5e204f745e40af4a16c7aa13010db6b4b665c6d12f357995f63
SHA512a35b39fdb80bae3f2f1a30e34682014201f13e0c69884efbc5293b6908d5005be7f8cca5b68cc5eac574145ebb1a5ecc85f0173e76b1a1e752c91aae162ac70e
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5c86de5ca2e0cc54f97725a6c861a686f
SHA1f705090cd5e5a6f790a487c08443d50a5b150ad6
SHA256abe63d09c37ba50d1face92d49599ab3bc1f8276a14d42359e71f7f2133b7d42
SHA512d0c0d4fe64deac688cdc8dd3104f6bb501f1211c00fb2590695488f01288bdb6bd952e70773aec3166d535bebe917c13587b8482c5afe1488665f7b2a8702833
-
Filesize
512KB
MD532d4ffeccdda67812f6c80670f8d6c2b
SHA114df895be2c1d34031bf23e3d952b9041563321b
SHA25665485390ceb828f4321840408605df89a5687cfbac367a5d892faabf9ce728a7
SHA5122a8cacbcd94d1c7b546d8add14eeb2bc10d3e64dbe5f8fd57b7f9e7a7ebab51788853016ed33901b3cf131e6925635d3510c0b4b6667cf0a2bb6a09c474dc8ad