Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 18:29
Static task
static1
Behavioral task
behavioral1
Sample
dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe
-
Size
512KB
-
MD5
dea93f1cf0308015e42e51b05ef13bd4
-
SHA1
ef049f6085dbac0812ac290c8ecebdea689302e6
-
SHA256
403bb8f98bf5d3a930330989a8e283738f64e6977d53697789a87f89db8acc37
-
SHA512
ba0e3ba096083a7202181504ec1fcaf7b3c11f9d071d9021a051e9c200b7d17aecb1e1a8be4f86b3794534bddd96ce2a77c0ffd1fc991cb68ab69f709326a5c2
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj60:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5/
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" fpwiaaytbq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fpwiaaytbq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fpwiaaytbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fpwiaaytbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fpwiaaytbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fpwiaaytbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fpwiaaytbq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fpwiaaytbq.exe -
Executes dropped EXE 5 IoCs
pid Process 588 fpwiaaytbq.exe 2424 trsbixxhbjawcnj.exe 2728 icloyufl.exe 2840 sczeojbjsotzz.exe 2884 icloyufl.exe -
Loads dropped DLL 5 IoCs
pid Process 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 588 fpwiaaytbq.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fpwiaaytbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fpwiaaytbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fpwiaaytbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fpwiaaytbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fpwiaaytbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" fpwiaaytbq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oqayapke = "fpwiaaytbq.exe" trsbixxhbjawcnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\adkazjko = "trsbixxhbjawcnj.exe" trsbixxhbjawcnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "sczeojbjsotzz.exe" trsbixxhbjawcnj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\t: icloyufl.exe File opened (read-only) \??\q: icloyufl.exe File opened (read-only) \??\g: fpwiaaytbq.exe File opened (read-only) \??\w: fpwiaaytbq.exe File opened (read-only) \??\i: icloyufl.exe File opened (read-only) \??\l: icloyufl.exe File opened (read-only) \??\r: icloyufl.exe File opened (read-only) \??\l: icloyufl.exe File opened (read-only) \??\o: icloyufl.exe File opened (read-only) \??\v: icloyufl.exe File opened (read-only) \??\u: fpwiaaytbq.exe File opened (read-only) \??\s: icloyufl.exe File opened (read-only) \??\t: fpwiaaytbq.exe File opened (read-only) \??\e: icloyufl.exe File opened (read-only) \??\h: icloyufl.exe File opened (read-only) \??\j: icloyufl.exe File opened (read-only) \??\m: icloyufl.exe File opened (read-only) \??\e: fpwiaaytbq.exe File opened (read-only) \??\n: fpwiaaytbq.exe File opened (read-only) \??\s: fpwiaaytbq.exe File opened (read-only) \??\a: icloyufl.exe File opened (read-only) \??\t: icloyufl.exe File opened (read-only) \??\x: icloyufl.exe File opened (read-only) \??\z: icloyufl.exe File opened (read-only) \??\a: fpwiaaytbq.exe File opened (read-only) \??\b: fpwiaaytbq.exe File opened (read-only) \??\h: fpwiaaytbq.exe File opened (read-only) \??\b: icloyufl.exe File opened (read-only) \??\p: icloyufl.exe File opened (read-only) \??\w: icloyufl.exe File opened (read-only) \??\z: icloyufl.exe File opened (read-only) \??\g: icloyufl.exe File opened (read-only) \??\j: icloyufl.exe File opened (read-only) \??\r: icloyufl.exe File opened (read-only) \??\z: fpwiaaytbq.exe File opened (read-only) \??\u: icloyufl.exe File opened (read-only) \??\y: fpwiaaytbq.exe File opened (read-only) \??\q: fpwiaaytbq.exe File opened (read-only) \??\g: icloyufl.exe File opened (read-only) \??\x: fpwiaaytbq.exe File opened (read-only) \??\n: icloyufl.exe File opened (read-only) \??\e: icloyufl.exe File opened (read-only) \??\y: icloyufl.exe File opened (read-only) \??\j: fpwiaaytbq.exe File opened (read-only) \??\o: fpwiaaytbq.exe File opened (read-only) \??\k: icloyufl.exe File opened (read-only) \??\i: fpwiaaytbq.exe File opened (read-only) \??\k: fpwiaaytbq.exe File opened (read-only) \??\a: icloyufl.exe File opened (read-only) \??\n: icloyufl.exe File opened (read-only) \??\x: icloyufl.exe File opened (read-only) \??\o: icloyufl.exe File opened (read-only) \??\r: fpwiaaytbq.exe File opened (read-only) \??\k: icloyufl.exe File opened (read-only) \??\y: icloyufl.exe File opened (read-only) \??\m: icloyufl.exe File opened (read-only) \??\p: icloyufl.exe File opened (read-only) \??\s: icloyufl.exe File opened (read-only) \??\w: icloyufl.exe File opened (read-only) \??\l: fpwiaaytbq.exe File opened (read-only) \??\u: icloyufl.exe File opened (read-only) \??\b: icloyufl.exe File opened (read-only) \??\h: icloyufl.exe File opened (read-only) \??\p: fpwiaaytbq.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" fpwiaaytbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" fpwiaaytbq.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2316-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0008000000015ed2-5.dat autoit_exe behavioral1/files/0x000b000000012263-17.dat autoit_exe behavioral1/files/0x0008000000015f96-32.dat autoit_exe behavioral1/files/0x0008000000016009-31.dat autoit_exe behavioral1/files/0x00070000000164db-68.dat autoit_exe behavioral1/files/0x0009000000015db6-62.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\fpwiaaytbq.exe dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fpwiaaytbq.exe dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe File created C:\Windows\SysWOW64\icloyufl.exe dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sczeojbjsotzz.exe dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll fpwiaaytbq.exe File created C:\Windows\SysWOW64\trsbixxhbjawcnj.exe dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\trsbixxhbjawcnj.exe dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\icloyufl.exe dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe File created C:\Windows\SysWOW64\sczeojbjsotzz.exe dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe icloyufl.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe icloyufl.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe icloyufl.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe icloyufl.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal icloyufl.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe icloyufl.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe icloyufl.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe icloyufl.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal icloyufl.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal icloyufl.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe icloyufl.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe icloyufl.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe icloyufl.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal icloyufl.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icloyufl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fpwiaaytbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trsbixxhbjawcnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icloyufl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sczeojbjsotzz.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B12947E239ED52BEB9D73293D7CA" dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78768B4FE1C22D1D208D1D58A0B9116" dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" fpwiaaytbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8F9CDFE11F1E083793A3281EC3999B08D02FE4369023EE1CD42EE08A0" dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" fpwiaaytbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf fpwiaaytbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs fpwiaaytbq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFFFF4F2A856D9137D72D7D97BDE7E631593166436234D69E" dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C6751596DAC5B9CE7C97ED9534C6" dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat fpwiaaytbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" fpwiaaytbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" fpwiaaytbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" fpwiaaytbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452D789D5583566A4676D1772F2DDA7DF565D8" dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh fpwiaaytbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc fpwiaaytbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg fpwiaaytbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" fpwiaaytbq.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2364 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 588 fpwiaaytbq.exe 588 fpwiaaytbq.exe 588 fpwiaaytbq.exe 588 fpwiaaytbq.exe 588 fpwiaaytbq.exe 2728 icloyufl.exe 2728 icloyufl.exe 2728 icloyufl.exe 2728 icloyufl.exe 2424 trsbixxhbjawcnj.exe 2424 trsbixxhbjawcnj.exe 2424 trsbixxhbjawcnj.exe 2424 trsbixxhbjawcnj.exe 2424 trsbixxhbjawcnj.exe 2840 sczeojbjsotzz.exe 2840 sczeojbjsotzz.exe 2840 sczeojbjsotzz.exe 2840 sczeojbjsotzz.exe 2840 sczeojbjsotzz.exe 2840 sczeojbjsotzz.exe 2884 icloyufl.exe 2884 icloyufl.exe 2884 icloyufl.exe 2884 icloyufl.exe 2424 trsbixxhbjawcnj.exe 2840 sczeojbjsotzz.exe 2840 sczeojbjsotzz.exe 2424 trsbixxhbjawcnj.exe 2424 trsbixxhbjawcnj.exe 2840 sczeojbjsotzz.exe 2840 sczeojbjsotzz.exe 2424 trsbixxhbjawcnj.exe 2840 sczeojbjsotzz.exe 2840 sczeojbjsotzz.exe 2424 trsbixxhbjawcnj.exe 2840 sczeojbjsotzz.exe 2840 sczeojbjsotzz.exe 2424 trsbixxhbjawcnj.exe 2840 sczeojbjsotzz.exe 2840 sczeojbjsotzz.exe 2424 trsbixxhbjawcnj.exe 2840 sczeojbjsotzz.exe 2840 sczeojbjsotzz.exe 2424 trsbixxhbjawcnj.exe 2840 sczeojbjsotzz.exe 2840 sczeojbjsotzz.exe 2424 trsbixxhbjawcnj.exe 2840 sczeojbjsotzz.exe 2840 sczeojbjsotzz.exe 2424 trsbixxhbjawcnj.exe 2840 sczeojbjsotzz.exe 2840 sczeojbjsotzz.exe 2424 trsbixxhbjawcnj.exe 2840 sczeojbjsotzz.exe 2840 sczeojbjsotzz.exe 2424 trsbixxhbjawcnj.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 588 fpwiaaytbq.exe 588 fpwiaaytbq.exe 588 fpwiaaytbq.exe 2728 icloyufl.exe 2424 trsbixxhbjawcnj.exe 2424 trsbixxhbjawcnj.exe 2424 trsbixxhbjawcnj.exe 2728 icloyufl.exe 2728 icloyufl.exe 2840 sczeojbjsotzz.exe 2840 sczeojbjsotzz.exe 2840 sczeojbjsotzz.exe 2884 icloyufl.exe 2884 icloyufl.exe 2884 icloyufl.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 588 fpwiaaytbq.exe 588 fpwiaaytbq.exe 588 fpwiaaytbq.exe 2728 icloyufl.exe 2424 trsbixxhbjawcnj.exe 2424 trsbixxhbjawcnj.exe 2424 trsbixxhbjawcnj.exe 2728 icloyufl.exe 2728 icloyufl.exe 2840 sczeojbjsotzz.exe 2840 sczeojbjsotzz.exe 2840 sczeojbjsotzz.exe 2884 icloyufl.exe 2884 icloyufl.exe 2884 icloyufl.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2364 WINWORD.EXE 2364 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2316 wrote to memory of 588 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 31 PID 2316 wrote to memory of 588 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 31 PID 2316 wrote to memory of 588 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 31 PID 2316 wrote to memory of 588 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 31 PID 2316 wrote to memory of 2424 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 32 PID 2316 wrote to memory of 2424 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 32 PID 2316 wrote to memory of 2424 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 32 PID 2316 wrote to memory of 2424 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 32 PID 2316 wrote to memory of 2728 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 33 PID 2316 wrote to memory of 2728 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 33 PID 2316 wrote to memory of 2728 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 33 PID 2316 wrote to memory of 2728 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 33 PID 2316 wrote to memory of 2840 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 34 PID 2316 wrote to memory of 2840 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 34 PID 2316 wrote to memory of 2840 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 34 PID 2316 wrote to memory of 2840 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 34 PID 588 wrote to memory of 2884 588 fpwiaaytbq.exe 35 PID 588 wrote to memory of 2884 588 fpwiaaytbq.exe 35 PID 588 wrote to memory of 2884 588 fpwiaaytbq.exe 35 PID 588 wrote to memory of 2884 588 fpwiaaytbq.exe 35 PID 2316 wrote to memory of 2364 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 36 PID 2316 wrote to memory of 2364 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 36 PID 2316 wrote to memory of 2364 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 36 PID 2316 wrote to memory of 2364 2316 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 36 PID 2364 wrote to memory of 2320 2364 WINWORD.EXE 38 PID 2364 wrote to memory of 2320 2364 WINWORD.EXE 38 PID 2364 wrote to memory of 2320 2364 WINWORD.EXE 38 PID 2364 wrote to memory of 2320 2364 WINWORD.EXE 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\fpwiaaytbq.exefpwiaaytbq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\icloyufl.exeC:\Windows\system32\icloyufl.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2884
-
-
-
C:\Windows\SysWOW64\trsbixxhbjawcnj.exetrsbixxhbjawcnj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2424
-
-
C:\Windows\SysWOW64\icloyufl.exeicloyufl.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2728
-
-
C:\Windows\SysWOW64\sczeojbjsotzz.exesczeojbjsotzz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2840
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2320
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD57cd334ea6e7c169c170377bb37f7621c
SHA18d6b581bec462ec25139dbbaa86edeaa8d968bd7
SHA256b3878c8d4662b2d7854646f94c1b0727e77eab3f665f6b1342dc28446d765b04
SHA5120c3eb9c85287931860da7e066adff40303eb4e61e0ffef268b52f677e4d3a8df0b99500c0802db343f80e5260e3879bccc8353e56742e9044d4a8331d0960efa
-
Filesize
512KB
MD5b2f589ff61ddf905b8c22d055862bd6c
SHA1239788bfd057f9fc0c6c90360df244252053b3c1
SHA25622f3dd57f9aba03801c960aba9d071505b867afae989c55905660ee79cfa5df7
SHA5123be5033792fec5ca661ebdab9750382175ccc1994c2a23f4e55ed7694add59b7df570432b9592a40012be0289d3930f3512e7562c0f99d4f69f9b1236c7e2cee
-
Filesize
19KB
MD5514b32e3f5c738d1a0b14ce643cd957f
SHA1c2007424c4d102420a8797069c15ef8c3269219a
SHA2569a15ffa100a846ce8d4e4885434fc8bfd60122b9bc7091abc647e68a84550956
SHA5122c59c54f115bf51c125d4f12a118c332d7ed976cd3b1a4ba4bbec13fee22a7868370c2702194e3b2f3edf5008bde8d3558e7fc7a7aff5262eb73dd7dbf346c23
-
Filesize
512KB
MD5ed69112d3f603dca52fab1666d811e56
SHA1b6235ee01cf6fe51a5b2eb1398fbf31cc718317e
SHA256704957c7915bdc43a9f2cb684d59f6f40923f97ebf6b19f577528d4f58bdd367
SHA51262f37cc7fb66921e3ef450966490829c3e2e7b6d39e84ed89737384dd9dd8cac1a00d8f4431d858a775c0c6fbd1d086e464dc3988373b80523e35e31f411f0a5
-
Filesize
512KB
MD588d019930b9d87958fcee31e860eceb9
SHA15f2d07e28f8f18985a723f3d19599f12c55ff385
SHA2567408a74fdacb650951ca500a640a35b3f852df6b9aa4a880bce75c8a062b87e1
SHA51276db772acd77676f65be83d4864a40b8674156f38822ef0e76558effbf4f8281b672f632da49e9e28aaf35a442909bdaa51f0189711c46e480f838edf3a3d05a
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5abf9f7235c4daf3fe2077f05b1d49eb4
SHA16b03fc0344cbe1702eca0ebef2f7450ed38d24d3
SHA256b832361dc310d5c4926484841ab65d991fe808c77a7c9850821e55d08461589e
SHA512d643133a4e73898971abd5b15b8c382856136e6fd4c5f15fd13b8ff957a160516c9a09d7de0814394e7a8dbd542cfe2e118af18f50be7ca17e870d38de179f91
-
Filesize
512KB
MD5bea69679df697fe4667366b913d2dd3f
SHA103efe4a4f8d7b66cbee875f9736e4be46c3deacb
SHA256850c3aa9740384b056439c2a0fd1eac6cda0d46385e8c494973d474d9d293576
SHA512da38cd837b3eda9772e7b9046c3f614371c2f315aad7717841b976619b64b5709f4fb471552e272c6bf3c6241fafd8720f979143ea6a8687d819de4121e5d0c6