Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/09/2024, 22:23
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
-
Size
512KB
-
MD5
db53214997f3f8f0ab3925730ef560aa
-
SHA1
831e75721a64692f52c56ba7ef8c94b09e84a927
-
SHA256
e826ff5437728e84f7c12ba6a28d527bb45e2a8d5ef3e88933a9c99425d2aee0
-
SHA512
d291e04f0e89f6e2b543793bd11a10ebf5d86a0a577a5ec11f3a05e02fd9bc9bd4ec5411cb2cbd665f2e35fe074534f72947e627de32cdc655cd2d7c13bd1424
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6X:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5m
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qzpwafcplm.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qzpwafcplm.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qzpwafcplm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qzpwafcplm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qzpwafcplm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qzpwafcplm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qzpwafcplm.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qzpwafcplm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 2392 qzpwafcplm.exe 1648 kozhvxkindsoxmm.exe 3784 egmbvcsl.exe 2528 zdvqwuaetrazp.exe 2860 egmbvcsl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" qzpwafcplm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qzpwafcplm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qzpwafcplm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qzpwafcplm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qzpwafcplm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qzpwafcplm.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xwhopmka = "qzpwafcplm.exe" kozhvxkindsoxmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gwrxybxg = "kozhvxkindsoxmm.exe" kozhvxkindsoxmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zdvqwuaetrazp.exe" kozhvxkindsoxmm.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: egmbvcsl.exe File opened (read-only) \??\t: qzpwafcplm.exe File opened (read-only) \??\x: qzpwafcplm.exe File opened (read-only) \??\j: egmbvcsl.exe File opened (read-only) \??\w: qzpwafcplm.exe File opened (read-only) \??\h: egmbvcsl.exe File opened (read-only) \??\g: egmbvcsl.exe File opened (read-only) \??\m: egmbvcsl.exe File opened (read-only) \??\v: egmbvcsl.exe File opened (read-only) \??\g: qzpwafcplm.exe File opened (read-only) \??\k: qzpwafcplm.exe File opened (read-only) \??\b: egmbvcsl.exe File opened (read-only) \??\q: qzpwafcplm.exe File opened (read-only) \??\z: egmbvcsl.exe File opened (read-only) \??\r: qzpwafcplm.exe File opened (read-only) \??\s: qzpwafcplm.exe File opened (read-only) \??\e: egmbvcsl.exe File opened (read-only) \??\o: egmbvcsl.exe File opened (read-only) \??\w: egmbvcsl.exe File opened (read-only) \??\i: egmbvcsl.exe File opened (read-only) \??\m: qzpwafcplm.exe File opened (read-only) \??\b: egmbvcsl.exe File opened (read-only) \??\p: egmbvcsl.exe File opened (read-only) \??\o: qzpwafcplm.exe File opened (read-only) \??\q: egmbvcsl.exe File opened (read-only) \??\u: egmbvcsl.exe File opened (read-only) \??\z: qzpwafcplm.exe File opened (read-only) \??\t: egmbvcsl.exe File opened (read-only) \??\x: egmbvcsl.exe File opened (read-only) \??\y: egmbvcsl.exe File opened (read-only) \??\n: egmbvcsl.exe File opened (read-only) \??\z: egmbvcsl.exe File opened (read-only) \??\i: qzpwafcplm.exe File opened (read-only) \??\u: qzpwafcplm.exe File opened (read-only) \??\v: qzpwafcplm.exe File opened (read-only) \??\m: egmbvcsl.exe File opened (read-only) \??\s: egmbvcsl.exe File opened (read-only) \??\e: egmbvcsl.exe File opened (read-only) \??\o: egmbvcsl.exe File opened (read-only) \??\t: egmbvcsl.exe File opened (read-only) \??\b: qzpwafcplm.exe File opened (read-only) \??\y: qzpwafcplm.exe File opened (read-only) \??\k: egmbvcsl.exe File opened (read-only) \??\u: egmbvcsl.exe File opened (read-only) \??\p: egmbvcsl.exe File opened (read-only) \??\y: egmbvcsl.exe File opened (read-only) \??\l: egmbvcsl.exe File opened (read-only) \??\n: egmbvcsl.exe File opened (read-only) \??\v: egmbvcsl.exe File opened (read-only) \??\q: egmbvcsl.exe File opened (read-only) \??\x: egmbvcsl.exe File opened (read-only) \??\p: qzpwafcplm.exe File opened (read-only) \??\a: egmbvcsl.exe File opened (read-only) \??\r: egmbvcsl.exe File opened (read-only) \??\l: egmbvcsl.exe File opened (read-only) \??\k: egmbvcsl.exe File opened (read-only) \??\j: egmbvcsl.exe File opened (read-only) \??\a: qzpwafcplm.exe File opened (read-only) \??\h: qzpwafcplm.exe File opened (read-only) \??\j: qzpwafcplm.exe File opened (read-only) \??\l: qzpwafcplm.exe File opened (read-only) \??\w: egmbvcsl.exe File opened (read-only) \??\g: egmbvcsl.exe File opened (read-only) \??\i: egmbvcsl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" qzpwafcplm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" qzpwafcplm.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/5088-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000234df-5.dat autoit_exe behavioral2/files/0x00080000000234d8-18.dat autoit_exe behavioral2/files/0x00070000000234e0-24.dat autoit_exe behavioral2/files/0x00070000000234e1-32.dat autoit_exe behavioral2/files/0x000800000002349a-75.dat autoit_exe behavioral2/files/0x000c0000000233e8-81.dat autoit_exe behavioral2/files/0x00090000000234cc-103.dat autoit_exe behavioral2/files/0x00090000000234cc-111.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\qzpwafcplm.exe db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe egmbvcsl.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe egmbvcsl.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe egmbvcsl.exe File created C:\Windows\SysWOW64\qzpwafcplm.exe db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe egmbvcsl.exe File created C:\Windows\SysWOW64\egmbvcsl.exe db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\egmbvcsl.exe db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zdvqwuaetrazp.exe db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qzpwafcplm.exe File opened for modification C:\Windows\SysWOW64\kozhvxkindsoxmm.exe db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe File created C:\Windows\SysWOW64\zdvqwuaetrazp.exe db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe File created C:\Windows\SysWOW64\kozhvxkindsoxmm.exe db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal egmbvcsl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe egmbvcsl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal egmbvcsl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe egmbvcsl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal egmbvcsl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe egmbvcsl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe egmbvcsl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe egmbvcsl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe egmbvcsl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe egmbvcsl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe egmbvcsl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe egmbvcsl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe egmbvcsl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal egmbvcsl.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe egmbvcsl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe egmbvcsl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe egmbvcsl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe egmbvcsl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe egmbvcsl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe egmbvcsl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe egmbvcsl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe egmbvcsl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe egmbvcsl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe egmbvcsl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe egmbvcsl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe egmbvcsl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe egmbvcsl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe egmbvcsl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe egmbvcsl.exe File opened for modification C:\Windows\mydoc.rtf db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe egmbvcsl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zdvqwuaetrazp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language egmbvcsl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qzpwafcplm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language egmbvcsl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kozhvxkindsoxmm.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB7B12D47E3399952C8BAD133EFD7CA" db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFF834F2682699046D65B7D94BD93E636584567466234D6EB" db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08668B2FE6C21AED10BD0A38A0B916B" db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" qzpwafcplm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg qzpwafcplm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc qzpwafcplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" qzpwafcplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" qzpwafcplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" qzpwafcplm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh qzpwafcplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" qzpwafcplm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf qzpwafcplm.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEFABBFE67F191840F3A3286E93998B08102F042120349E2BD42ED08A7" db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC70F14E0DBB3B9CD7CE6EC9634CE" db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" qzpwafcplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422D0D9D5082586A4676D670252DDE7D8264AF" db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat qzpwafcplm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs qzpwafcplm.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1964 WINWORD.EXE 1964 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 2392 qzpwafcplm.exe 2392 qzpwafcplm.exe 2392 qzpwafcplm.exe 2392 qzpwafcplm.exe 2392 qzpwafcplm.exe 2392 qzpwafcplm.exe 2392 qzpwafcplm.exe 2392 qzpwafcplm.exe 2392 qzpwafcplm.exe 2392 qzpwafcplm.exe 3784 egmbvcsl.exe 3784 egmbvcsl.exe 3784 egmbvcsl.exe 3784 egmbvcsl.exe 3784 egmbvcsl.exe 3784 egmbvcsl.exe 3784 egmbvcsl.exe 3784 egmbvcsl.exe 1648 kozhvxkindsoxmm.exe 1648 kozhvxkindsoxmm.exe 1648 kozhvxkindsoxmm.exe 1648 kozhvxkindsoxmm.exe 1648 kozhvxkindsoxmm.exe 1648 kozhvxkindsoxmm.exe 1648 kozhvxkindsoxmm.exe 1648 kozhvxkindsoxmm.exe 2528 zdvqwuaetrazp.exe 2528 zdvqwuaetrazp.exe 2528 zdvqwuaetrazp.exe 2528 zdvqwuaetrazp.exe 2528 zdvqwuaetrazp.exe 2528 zdvqwuaetrazp.exe 2528 zdvqwuaetrazp.exe 2528 zdvqwuaetrazp.exe 2860 egmbvcsl.exe 2860 egmbvcsl.exe 2860 egmbvcsl.exe 2860 egmbvcsl.exe 2860 egmbvcsl.exe 2860 egmbvcsl.exe 2860 egmbvcsl.exe 2860 egmbvcsl.exe 1648 kozhvxkindsoxmm.exe 1648 kozhvxkindsoxmm.exe 2528 zdvqwuaetrazp.exe 2528 zdvqwuaetrazp.exe 2528 zdvqwuaetrazp.exe 2528 zdvqwuaetrazp.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 2392 qzpwafcplm.exe 2392 qzpwafcplm.exe 2392 qzpwafcplm.exe 3784 egmbvcsl.exe 3784 egmbvcsl.exe 3784 egmbvcsl.exe 2528 zdvqwuaetrazp.exe 2528 zdvqwuaetrazp.exe 2528 zdvqwuaetrazp.exe 1648 kozhvxkindsoxmm.exe 1648 kozhvxkindsoxmm.exe 1648 kozhvxkindsoxmm.exe 2860 egmbvcsl.exe 2860 egmbvcsl.exe 2860 egmbvcsl.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 2392 qzpwafcplm.exe 2392 qzpwafcplm.exe 2392 qzpwafcplm.exe 3784 egmbvcsl.exe 3784 egmbvcsl.exe 3784 egmbvcsl.exe 2528 zdvqwuaetrazp.exe 2528 zdvqwuaetrazp.exe 2528 zdvqwuaetrazp.exe 1648 kozhvxkindsoxmm.exe 1648 kozhvxkindsoxmm.exe 1648 kozhvxkindsoxmm.exe 2860 egmbvcsl.exe 2860 egmbvcsl.exe 2860 egmbvcsl.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1964 WINWORD.EXE 1964 WINWORD.EXE 1964 WINWORD.EXE 1964 WINWORD.EXE 1964 WINWORD.EXE 1964 WINWORD.EXE 1964 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 5088 wrote to memory of 2392 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 87 PID 5088 wrote to memory of 2392 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 87 PID 5088 wrote to memory of 2392 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 87 PID 5088 wrote to memory of 1648 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 88 PID 5088 wrote to memory of 1648 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 88 PID 5088 wrote to memory of 1648 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 88 PID 5088 wrote to memory of 3784 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 89 PID 5088 wrote to memory of 3784 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 89 PID 5088 wrote to memory of 3784 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 89 PID 5088 wrote to memory of 2528 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 90 PID 5088 wrote to memory of 2528 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 90 PID 5088 wrote to memory of 2528 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 90 PID 2392 wrote to memory of 2860 2392 qzpwafcplm.exe 91 PID 2392 wrote to memory of 2860 2392 qzpwafcplm.exe 91 PID 2392 wrote to memory of 2860 2392 qzpwafcplm.exe 91 PID 5088 wrote to memory of 1964 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 92 PID 5088 wrote to memory of 1964 5088 db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\qzpwafcplm.exeqzpwafcplm.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\egmbvcsl.exeC:\Windows\system32\egmbvcsl.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2860
-
-
-
C:\Windows\SysWOW64\kozhvxkindsoxmm.exekozhvxkindsoxmm.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1648
-
-
C:\Windows\SysWOW64\egmbvcsl.exeegmbvcsl.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3784
-
-
C:\Windows\SysWOW64\zdvqwuaetrazp.exezdvqwuaetrazp.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2528
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1964
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD53100a1f4dbfcb42697cc62786b1b3215
SHA1a229b8b53462a962197396fd42b8a55f3038014d
SHA256d4c47a95017240ccf43840493d12c09d3e85140fd9799d2654a5433c5932f639
SHA5121ff2d11198d82c9a6de71901d921c41cd6379ab22b366e1dc12b2edf659f88ec953476c7db06bfc29aca18820380bfa7f474054d9a0a72f47268dab081f66a91
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
317B
MD5fd71650527cfe6b43c0f1bf3ce44e685
SHA1ab81264040390659859a58ffc977f4144785df47
SHA2562379837096110874e03b1d94e154df264bf5d214e8d5d77b8fca5df55fadcb9c
SHA512ca59ef0473a1240925fb09ed9c0aa61ef49430a2f0f2e1a1fd1f697e6e7e543b20ac882e320be8d2fbf087bbdadae19ec871578ff61f23c06d1f39d83b835006
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD52e5e48a6470457d711c2d6dc9331b814
SHA1f3c4800b8fe27d779a12694e72bd75ae5dcdc98b
SHA256f8b363edf56abc98a233690abbfcc779e2feb97c511109b57cb4c9e4e3666c83
SHA51258ee409dcd35365e96f8de679c1f71a23fb38536a511c21338f22f6a6c7916f58911fed9919e968364ab4fbce3b7646b0a306c0d8ad572e12e728ca6fd8fc44f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD54837568414fa424cf60b1641b98360e7
SHA100ab2d1108aa73ed2d95f06e360759973556c727
SHA256257f270c173fbe278ae69f3be2f0d6b4a7eb42b3946b8d1c053fad6b3904e631
SHA51200aca1537044cc3b6ba958cff78e776ab88d1eda0ce98d653b3060c91c78c9daca6567a6d71ef67495f1505c734265b975957da1ed59944fc80fbf4234ecfa2b
-
Filesize
512KB
MD55445bebb651a69ad984c3a46bf53e0b5
SHA1664a5244256e1826dccf7c5ff7646184ebbdc044
SHA256f06bd86356bcf0dd09a8672b3468970386447064af01cf78e74c0a5c6b27c6da
SHA512f2d1ee6bb333ec7c6929d061366624715b7478b5952dae22caf01addba5c06cde5aa8f1244102ae2c05be9bcf9439d91104fe0f38f7493c49648cb63af8d9e76
-
Filesize
512KB
MD5c2652ca48f18d29982e7dd845af42b63
SHA19e11457e543336ea5e2a82ca1374f894b0f5034c
SHA2562b6928ef46a58326a908bf44d661675fca13b377465a14bb0a1ab730b0bcf60e
SHA512df3d4e29de1660b930b38bc958e37e4fbef3f74ff58b87cdc35efcdcb38e4a2bf0a49b3454c76291b05a303857f3386817804ef7e9a0a5fd3888887bed5de306
-
Filesize
512KB
MD51cb502f3b9b6e68b103b184944deb89f
SHA14306cc7251307fa7b98c8dbaf512ec118e847c30
SHA256db5f5c551bc579beb586a5c887bbb072ed4d355664df99ec1fab251144924b85
SHA51251dbd7dfa2bef8749cb1dd0d26b961c8b2293c2aad8ec95c08386ad850323bb26ff0e335c7ffe0d208ce812a41836f8cc1ea2dcc410f5bafa513c74aee836109
-
Filesize
512KB
MD57694480696fec322159515d0733d35c4
SHA1ddb6ef3486da7c84cdd5d8db2c9fce2d99a1fe45
SHA2569a90467cf3922ff5415c161d67115c0f40b110688eaab8e5c0d8e33ae9872f22
SHA5126b48f708559b84191081005d1096c9ed8c4ccab99f46632939b3a740463fee01322c72d736ece6c385549166c895b26da10d64a22eaf4acf293dc58019330dd7
-
Filesize
512KB
MD5608c14b61cc0c4303935779b7b266202
SHA15e5731e17671c786ac7e89d3e877fb9ad3005709
SHA256f926317bc9c8038949b9777caeac9a810324625c8125248b48029cca67fddacd
SHA5124e8fe1e720c0ad45b3f08c17b6d4784e898a76f9b5331c3f05b6b214bf73e9de25ac99127b202b88319dbab2a11b3f5cd3a0561c9a0c34f7e2f00c3bccaf6555
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD565d61ecabd9980411dee6450fe9b3cff
SHA1986a699e3e421c2d74e7657a764266f953e8f772
SHA2565719934f93bd18274121ce32a20bfd1b64fcac656507f8f63c0f3f08a009cb0d
SHA512cfc14dd5d6818828119db6ef7771d8fcbc1d73486bcbd9f3bcb6bd3f7d401ab681929eabbdfbbfa6c3a5170b1681432bec6d0e9ff301504cf07e6008bef10e0e
-
Filesize
512KB
MD56206dbb964623aac0a5b78155fa4a759
SHA1ed1bb98192dfb39ae46d8030618351832735b24b
SHA256ca6a779e7341320762b4a0db02653b1886c088aa860fbc8c269364813a4e824c
SHA51296d190e4fd623c94e0839ebdf7c0ab2fa424e0f77831a71f0e7915df6b83ed7f6d131117ce851122e6632fcac10256eef61a0261b540f5d090e68d437e859c18