Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/09/2024, 23:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
31 signatures
150 seconds
Behavioral task
behavioral2
Sample
db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe
-
Size
496KB
-
MD5
db66b3698482c366c1de1189e75e2450
-
SHA1
4dcf416c4da2476a6340f8d48b75aae1af7552d4
-
SHA256
5ee51a9806a81b2083b8530d9ec3a923103f1a3f50a8302fa399daa41789723e
-
SHA512
05a0024e36cc8d1644355124a0a453c7f46d853fbf4df99541a55e862eda8e230ed873f9ed66b545044c0dc527ad98faf267ba753783d04ecbacbb45a21f7747
-
SSDEEP
12288:LDCPENnBV5jaHBoFvZstQW012B04Ngjw5qu8jxTQlDrLOM:LEEZBV5jCoFvZsSWG2BdN+w2+O
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 3men.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" j29oAE.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zeeag.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 1760 cmd.exe -
Executes dropped EXE 12 IoCs
pid Process 2660 j29oAE.exe 2672 zeeag.exe 2568 2men.exe 276 2men.exe 2060 2men.exe 2808 2men.exe 1144 2men.exe 1600 2men.exe 1200 3men.exe 2804 3men.exe 2820 3men.exe 2076 FDDF.tmp -
Loads dropped DLL 10 IoCs
pid Process 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 2660 j29oAE.exe 2660 j29oAE.exe 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 1200 3men.exe 1200 3men.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/276-43-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/276-41-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/276-46-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/276-49-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/276-48-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/276-52-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2060-60-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2060-63-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2060-65-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2060-62-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2060-57-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2060-55-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/1144-85-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1144-82-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2808-77-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/2808-76-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/1144-88-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1144-87-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2808-75-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/2808-70-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/2808-68-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/1144-80-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/276-96-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2808-108-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/1144-112-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1200-114-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2804-176-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1200-178-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /T" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /L" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /A" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /g" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /r" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /K" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /a" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /c" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /B" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /k" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /j" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /J" zeeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EB5.exe = "C:\\Program Files (x86)\\LP\\9A62\\EB5.exe" 3men.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /H" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /P" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /p" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /h" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /O" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /G" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /y" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /Z" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /X" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /m" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /U" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /s" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /v" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /N" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /z" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /D" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /V" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /t" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /E" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /b" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /u" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /S" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /w" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /o" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /Y" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /M" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /Q" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /l" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /n" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /q" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /e" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /I" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /x" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /f" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /R" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /w" j29oAE.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /d" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /W" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /i" zeeag.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeag = "C:\\Users\\Admin\\zeeag.exe /C" zeeag.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2men.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2men.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2952 tasklist.exe 2564 tasklist.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2568 set thread context of 276 2568 2men.exe 37 PID 2568 set thread context of 2060 2568 2men.exe 38 PID 2568 set thread context of 2808 2568 2men.exe 39 PID 2568 set thread context of 1144 2568 2men.exe 40 PID 2568 set thread context of 1600 2568 2men.exe 41 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\9A62\EB5.exe 3men.exe File opened for modification C:\Program Files (x86)\LP\9A62\EB5.exe 3men.exe File opened for modification C:\Program Files (x86)\LP\9A62\FDDF.tmp 3men.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zeeag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2men.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3men.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3men.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2men.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3men.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2men.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FDDF.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language j29oAE.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2660 j29oAE.exe 2660 j29oAE.exe 2060 2men.exe 2672 zeeag.exe 2672 zeeag.exe 2808 2men.exe 2672 zeeag.exe 2672 zeeag.exe 2672 zeeag.exe 2060 2men.exe 2672 zeeag.exe 2808 2men.exe 2672 zeeag.exe 2672 zeeag.exe 2060 2men.exe 2672 zeeag.exe 2060 2men.exe 2060 2men.exe 2672 zeeag.exe 2672 zeeag.exe 2672 zeeag.exe 2060 2men.exe 2672 zeeag.exe 2060 2men.exe 2672 zeeag.exe 2060 2men.exe 1200 3men.exe 1200 3men.exe 1200 3men.exe 1200 3men.exe 1200 3men.exe 1200 3men.exe 2672 zeeag.exe 2672 zeeag.exe 2060 2men.exe 2672 zeeag.exe 2060 2men.exe 2060 2men.exe 2672 zeeag.exe 2060 2men.exe 2060 2men.exe 2672 zeeag.exe 2672 zeeag.exe 2060 2men.exe 2060 2men.exe 2672 zeeag.exe 2060 2men.exe 2672 zeeag.exe 2672 zeeag.exe 2060 2men.exe 2060 2men.exe 2060 2men.exe 2672 zeeag.exe 2060 2men.exe 2672 zeeag.exe 2060 2men.exe 2672 zeeag.exe 2672 zeeag.exe 2060 2men.exe 2060 2men.exe 2060 2men.exe 2672 zeeag.exe 2060 2men.exe 2060 2men.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3040 explorer.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2564 tasklist.exe Token: SeRestorePrivilege 3052 msiexec.exe Token: SeTakeOwnershipPrivilege 3052 msiexec.exe Token: SeSecurityPrivilege 3052 msiexec.exe Token: SeDebugPrivilege 2952 tasklist.exe Token: SeShutdownPrivilege 3040 explorer.exe Token: SeShutdownPrivilege 3040 explorer.exe Token: SeShutdownPrivilege 3040 explorer.exe Token: SeShutdownPrivilege 3040 explorer.exe Token: SeShutdownPrivilege 3040 explorer.exe Token: SeShutdownPrivilege 3040 explorer.exe Token: SeShutdownPrivilege 3040 explorer.exe Token: SeShutdownPrivilege 3040 explorer.exe Token: SeShutdownPrivilege 3040 explorer.exe Token: SeShutdownPrivilege 3040 explorer.exe Token: SeShutdownPrivilege 3040 explorer.exe Token: SeShutdownPrivilege 3040 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe 3040 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 2660 j29oAE.exe 2672 zeeag.exe 2568 2men.exe 276 2men.exe 1144 2men.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2660 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 30 PID 3028 wrote to memory of 2660 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 30 PID 3028 wrote to memory of 2660 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 30 PID 3028 wrote to memory of 2660 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 30 PID 2660 wrote to memory of 2672 2660 j29oAE.exe 31 PID 2660 wrote to memory of 2672 2660 j29oAE.exe 31 PID 2660 wrote to memory of 2672 2660 j29oAE.exe 31 PID 2660 wrote to memory of 2672 2660 j29oAE.exe 31 PID 2660 wrote to memory of 2648 2660 j29oAE.exe 32 PID 2660 wrote to memory of 2648 2660 j29oAE.exe 32 PID 2660 wrote to memory of 2648 2660 j29oAE.exe 32 PID 2660 wrote to memory of 2648 2660 j29oAE.exe 32 PID 2648 wrote to memory of 2564 2648 cmd.exe 34 PID 2648 wrote to memory of 2564 2648 cmd.exe 34 PID 2648 wrote to memory of 2564 2648 cmd.exe 34 PID 2648 wrote to memory of 2564 2648 cmd.exe 34 PID 3028 wrote to memory of 2568 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 36 PID 3028 wrote to memory of 2568 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 36 PID 3028 wrote to memory of 2568 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 36 PID 3028 wrote to memory of 2568 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 36 PID 2568 wrote to memory of 276 2568 2men.exe 37 PID 2568 wrote to memory of 276 2568 2men.exe 37 PID 2568 wrote to memory of 276 2568 2men.exe 37 PID 2568 wrote to memory of 276 2568 2men.exe 37 PID 2568 wrote to memory of 276 2568 2men.exe 37 PID 2568 wrote to memory of 276 2568 2men.exe 37 PID 2568 wrote to memory of 276 2568 2men.exe 37 PID 2568 wrote to memory of 276 2568 2men.exe 37 PID 2568 wrote to memory of 2060 2568 2men.exe 38 PID 2568 wrote to memory of 2060 2568 2men.exe 38 PID 2568 wrote to memory of 2060 2568 2men.exe 38 PID 2568 wrote to memory of 2060 2568 2men.exe 38 PID 2568 wrote to memory of 2060 2568 2men.exe 38 PID 2568 wrote to memory of 2060 2568 2men.exe 38 PID 2568 wrote to memory of 2060 2568 2men.exe 38 PID 2568 wrote to memory of 2060 2568 2men.exe 38 PID 2568 wrote to memory of 2808 2568 2men.exe 39 PID 2568 wrote to memory of 2808 2568 2men.exe 39 PID 2568 wrote to memory of 2808 2568 2men.exe 39 PID 2568 wrote to memory of 2808 2568 2men.exe 39 PID 2568 wrote to memory of 2808 2568 2men.exe 39 PID 2568 wrote to memory of 2808 2568 2men.exe 39 PID 2568 wrote to memory of 2808 2568 2men.exe 39 PID 2568 wrote to memory of 2808 2568 2men.exe 39 PID 2568 wrote to memory of 1144 2568 2men.exe 40 PID 2568 wrote to memory of 1144 2568 2men.exe 40 PID 2568 wrote to memory of 1144 2568 2men.exe 40 PID 2568 wrote to memory of 1144 2568 2men.exe 40 PID 2568 wrote to memory of 1144 2568 2men.exe 40 PID 2568 wrote to memory of 1144 2568 2men.exe 40 PID 2568 wrote to memory of 1144 2568 2men.exe 40 PID 2568 wrote to memory of 1144 2568 2men.exe 40 PID 2568 wrote to memory of 1600 2568 2men.exe 41 PID 2568 wrote to memory of 1600 2568 2men.exe 41 PID 2568 wrote to memory of 1600 2568 2men.exe 41 PID 2568 wrote to memory of 1600 2568 2men.exe 41 PID 2568 wrote to memory of 1600 2568 2men.exe 41 PID 3028 wrote to memory of 1200 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 43 PID 3028 wrote to memory of 1200 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 43 PID 3028 wrote to memory of 1200 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 43 PID 3028 wrote to memory of 1200 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 43 PID 3028 wrote to memory of 1760 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 45 PID 3028 wrote to memory of 1760 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 45 PID 3028 wrote to memory of 1760 3028 db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe 45 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 3men.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 3men.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\j29oAE.exeC:\Users\Admin\j29oAE.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\zeeag.exe"C:\Users\Admin\zeeag.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2672
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del j29oAE.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
-
-
C:\Users\Admin\2men.exeC:\Users\Admin\2men.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:276
-
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2060
-
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2808
-
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1144
-
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
PID:1600
-
-
-
C:\Users\Admin\3men.exeC:\Users\Admin\3men.exe2⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1200 -
C:\Users\Admin\3men.exeC:\Users\Admin\3men.exe startC:\Users\Admin\AppData\Roaming\21A86\37C9A.exe%C:\Users\Admin\AppData\Roaming\21A863⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2804
-
-
C:\Users\Admin\3men.exeC:\Users\Admin\3men.exe startC:\Program Files (x86)\86683\lvvm.exe%C:\Program Files (x86)\866833⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820
-
-
C:\Program Files (x86)\LP\9A62\FDDF.tmp"C:\Program Files (x86)\LP\9A62\FDDF.tmp"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2076
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del db66b3698482c366c1de1189e75e2450_JaffaCakes118.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3040
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300B
MD537740dbf31c1565fbe9ad898634952dd
SHA19ae90d7a9e7dd22dec59161760d3452ac96d3c24
SHA2560c94d54ae2ebb533d5c0430fe515ee3aeef3b7530a9d4c629dd0f6d518c0f2fc
SHA5128266ea65b7e7854ce302a161c83d004421b963ca6b56bda88250de08021b8fa6ca4c6f36a1d063dbd6d7440ff570992043cec6bff5fda92e12d4f1878c176926
-
Filesize
600B
MD5caec1dcf13325689f88e8e7e148ea18b
SHA157a2a94adeb74e105844423d4ad4fbeaa8b3f415
SHA25654304deb28b8a840aa0212fccbe434bf945368b1589b781ec2d62048e24b17c6
SHA512f1c522ef6bf8fe97425f1e42ac0ef6ad2648877e50e93dd7971115fd35f013628cc207d0b5047dba5d5fb282ce835d8d0014518558ef818f59ad9a7cf3003e11
-
Filesize
996B
MD5b1d00ba65a86a57fb193a5d476f15a08
SHA137a954a0e8ef395f109f8af72d922cc77ae6e14f
SHA256ecfc5983dbba98cd90987a75633137b5762cc80afb2a5d225f80d6115e671345
SHA51260dd42f8c983ca6c741b218afae30893ac0c2c3a56bf5712d0751cffe6c0161fe0897d9cb2895e9228a1be8636b296dcfc1c97faa3d2e361e17a1dde105aa743
-
Filesize
1KB
MD5fc0c181abe98e05e154343e6776de50c
SHA154fbb0c0a16ca7f48a31d29699ae7cf75b18aea2
SHA2567e2c618316ac8a1962c2d5cd903edf0fc4962e4cd03c896eb221b3ff4c1eb41e
SHA5122f9ccc97b1f261a50fef69be115c661f5987d5ed801ba059d197a3427c259ad35fb0fb3a85f4e8440801c498d1558b62c5c3004de651f6ebfae6b75d85d7d902
-
Filesize
96KB
MD56b9ed8570a1857126c8bf99e0663926c
SHA194e08d8a0be09be35f37a9b17ec2130febfa2074
SHA256888e4e571a6f78ee81d94ab56bd033d413f9160f1089073176b03c91878aae2d
SHA51223211a1b71f1d05ad7f003231da826220ac4940e48071135cc3fba14708123fa0292e2e71c294a8086d8dc5f90dd32c4da3b41e6857c56f38cb325d78cb14880
-
Filesize
132KB
MD5945a713b037b50442ec5d18d3dc0d55e
SHA12c8881b327a79fafcce27479b78f05487d93c802
SHA2562da470571a64bcdeb56f62c916ee2bffa87ccc6c028b7c8cb0132d09bceedd2f
SHA5120eab4bb5d04725cc20e463ae6959f71064674602f8ee7b3c9b2db75e928b9a0b1bdc94233dc261f6277d02e54a443b42a59b12aaebb8bbf243f0940344fbf385
-
Filesize
271KB
MD50d668203e24463de2bf228f00443b7bc
SHA1eacff981d71f6648f6315e508bfd75e11683dba8
SHA256509d530e99839d7dbc8fccac163420d9dc455fb478fa57fdec1b7a2ef629d7bc
SHA5123251bb1341bd466e71468d72723bd5cf545dbd232327f343b44c51daae8755ed3caa02f74adbb0304912769346fa90dfa4c7036c211836e5650bdb06993ba803
-
Filesize
176KB
MD5c4a634088e095eab98183984bb7252d8
SHA1c205f2c1f8040c9205c6c06accd75c0396c59781
SHA256db345985313397a39cc2817134315c8db71ab4c48680e62c0358db406b0eff6a
SHA512b6a30f6d5cc30bee9b9d483629f16c80c5338360cec629f9ee2a3307b73b9743fd71396e408ac72008b84f4b8fded26002c910421853253b52b8b4d530df7a8e
-
Filesize
176KB
MD5d2e9fa2ffa230ccc49f31c3ad026c2fc
SHA19a573e3abe417697f5c88efb02abf60ccd3b3159
SHA25666b69de68f3a7d4de16a4c63cf49a346bbcce8f3749814d31ba3cef4939df34d
SHA512ea4f58b88dc2c3ec4ad5a09882e4e8fcecb5a405482b8183f92e4eabe7f98da99a7113a9ea65ebd57385c2e9175a02f4781492c8e98705b616777942c4e045ac