Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 18:29
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe
-
Size
512KB
-
MD5
dea93f1cf0308015e42e51b05ef13bd4
-
SHA1
ef049f6085dbac0812ac290c8ecebdea689302e6
-
SHA256
403bb8f98bf5d3a930330989a8e283738f64e6977d53697789a87f89db8acc37
-
SHA512
ba0e3ba096083a7202181504ec1fcaf7b3c11f9d071d9021a051e9c200b7d17aecb1e1a8be4f86b3794534bddd96ce2a77c0ffd1fc991cb68ab69f709326a5c2
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj60:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5/
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" fpwiaaytbq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fpwiaaytbq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fpwiaaytbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fpwiaaytbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fpwiaaytbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fpwiaaytbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" fpwiaaytbq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fpwiaaytbq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3824 fpwiaaytbq.exe 4384 trsbixxhbjawcnj.exe 1720 icloyufl.exe 3204 sczeojbjsotzz.exe 3000 icloyufl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" fpwiaaytbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fpwiaaytbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fpwiaaytbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fpwiaaytbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" fpwiaaytbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fpwiaaytbq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oqayapke = "fpwiaaytbq.exe" trsbixxhbjawcnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\adkazjko = "trsbixxhbjawcnj.exe" trsbixxhbjawcnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "sczeojbjsotzz.exe" trsbixxhbjawcnj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: icloyufl.exe File opened (read-only) \??\e: fpwiaaytbq.exe File opened (read-only) \??\k: icloyufl.exe File opened (read-only) \??\r: icloyufl.exe File opened (read-only) \??\u: icloyufl.exe File opened (read-only) \??\y: icloyufl.exe File opened (read-only) \??\v: icloyufl.exe File opened (read-only) \??\k: fpwiaaytbq.exe File opened (read-only) \??\o: icloyufl.exe File opened (read-only) \??\n: fpwiaaytbq.exe File opened (read-only) \??\q: fpwiaaytbq.exe File opened (read-only) \??\g: icloyufl.exe File opened (read-only) \??\e: icloyufl.exe File opened (read-only) \??\j: icloyufl.exe File opened (read-only) \??\h: icloyufl.exe File opened (read-only) \??\m: icloyufl.exe File opened (read-only) \??\t: icloyufl.exe File opened (read-only) \??\a: icloyufl.exe File opened (read-only) \??\b: fpwiaaytbq.exe File opened (read-only) \??\w: icloyufl.exe File opened (read-only) \??\o: icloyufl.exe File opened (read-only) \??\s: icloyufl.exe File opened (read-only) \??\z: icloyufl.exe File opened (read-only) \??\l: icloyufl.exe File opened (read-only) \??\q: icloyufl.exe File opened (read-only) \??\j: icloyufl.exe File opened (read-only) \??\p: fpwiaaytbq.exe File opened (read-only) \??\t: fpwiaaytbq.exe File opened (read-only) \??\t: icloyufl.exe File opened (read-only) \??\g: fpwiaaytbq.exe File opened (read-only) \??\m: fpwiaaytbq.exe File opened (read-only) \??\r: fpwiaaytbq.exe File opened (read-only) \??\a: icloyufl.exe File opened (read-only) \??\g: icloyufl.exe File opened (read-only) \??\h: fpwiaaytbq.exe File opened (read-only) \??\l: icloyufl.exe File opened (read-only) \??\x: icloyufl.exe File opened (read-only) \??\y: fpwiaaytbq.exe File opened (read-only) \??\k: icloyufl.exe File opened (read-only) \??\q: icloyufl.exe File opened (read-only) \??\j: fpwiaaytbq.exe File opened (read-only) \??\x: fpwiaaytbq.exe File opened (read-only) \??\z: fpwiaaytbq.exe File opened (read-only) \??\i: icloyufl.exe File opened (read-only) \??\u: icloyufl.exe File opened (read-only) \??\l: fpwiaaytbq.exe File opened (read-only) \??\o: fpwiaaytbq.exe File opened (read-only) \??\s: fpwiaaytbq.exe File opened (read-only) \??\v: fpwiaaytbq.exe File opened (read-only) \??\n: icloyufl.exe File opened (read-only) \??\p: icloyufl.exe File opened (read-only) \??\h: icloyufl.exe File opened (read-only) \??\x: icloyufl.exe File opened (read-only) \??\w: icloyufl.exe File opened (read-only) \??\r: icloyufl.exe File opened (read-only) \??\i: fpwiaaytbq.exe File opened (read-only) \??\u: fpwiaaytbq.exe File opened (read-only) \??\w: fpwiaaytbq.exe File opened (read-only) \??\y: icloyufl.exe File opened (read-only) \??\a: fpwiaaytbq.exe File opened (read-only) \??\b: icloyufl.exe File opened (read-only) \??\e: icloyufl.exe File opened (read-only) \??\i: icloyufl.exe File opened (read-only) \??\n: icloyufl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" fpwiaaytbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" fpwiaaytbq.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2032-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023439-5.dat autoit_exe behavioral2/files/0x00090000000233d9-18.dat autoit_exe behavioral2/files/0x000700000002343d-28.dat autoit_exe behavioral2/files/0x000700000002343e-32.dat autoit_exe behavioral2/files/0x000700000002344b-71.dat autoit_exe behavioral2/files/0x000700000002345b-95.dat autoit_exe behavioral2/files/0x000700000002345b-98.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\fpwiaaytbq.exe dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe File created C:\Windows\SysWOW64\trsbixxhbjawcnj.exe dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\trsbixxhbjawcnj.exe dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\icloyufl.exe dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fpwiaaytbq.exe dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe File created C:\Windows\SysWOW64\icloyufl.exe dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe File created C:\Windows\SysWOW64\sczeojbjsotzz.exe dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sczeojbjsotzz.exe dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll fpwiaaytbq.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe icloyufl.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe icloyufl.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe icloyufl.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe icloyufl.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe icloyufl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal icloyufl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe icloyufl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe icloyufl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal icloyufl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe icloyufl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal icloyufl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe icloyufl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe icloyufl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal icloyufl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe icloyufl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe icloyufl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe icloyufl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe icloyufl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe icloyufl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe icloyufl.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe icloyufl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe icloyufl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe icloyufl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe icloyufl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe icloyufl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe icloyufl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe icloyufl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe icloyufl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe icloyufl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe icloyufl.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe icloyufl.exe File opened for modification C:\Windows\mydoc.rtf dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe icloyufl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe icloyufl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe icloyufl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe icloyufl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe icloyufl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fpwiaaytbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trsbixxhbjawcnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icloyufl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sczeojbjsotzz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icloyufl.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFFFF4F2A856D9137D72D7D97BDE7E631593166436234D69E" dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78768B4FE1C22D1D208D1D58A0B9116" dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg fpwiaaytbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" fpwiaaytbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh fpwiaaytbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452D789D5583566A4676D1772F2DDA7DF565D8" dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C6751596DAC5B9CE7C97ED9534C6" dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat fpwiaaytbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" fpwiaaytbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf fpwiaaytbq.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" fpwiaaytbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc fpwiaaytbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" fpwiaaytbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs fpwiaaytbq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8F9CDFE11F1E083793A3281EC3999B08D02FE4369023EE1CD42EE08A0" dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B12947E239ED52BEB9D73293D7CA" dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" fpwiaaytbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" fpwiaaytbq.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3596 WINWORD.EXE 3596 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 4384 trsbixxhbjawcnj.exe 4384 trsbixxhbjawcnj.exe 4384 trsbixxhbjawcnj.exe 4384 trsbixxhbjawcnj.exe 4384 trsbixxhbjawcnj.exe 4384 trsbixxhbjawcnj.exe 4384 trsbixxhbjawcnj.exe 4384 trsbixxhbjawcnj.exe 4384 trsbixxhbjawcnj.exe 4384 trsbixxhbjawcnj.exe 3204 sczeojbjsotzz.exe 3204 sczeojbjsotzz.exe 3204 sczeojbjsotzz.exe 3204 sczeojbjsotzz.exe 3204 sczeojbjsotzz.exe 3204 sczeojbjsotzz.exe 3204 sczeojbjsotzz.exe 3204 sczeojbjsotzz.exe 3824 fpwiaaytbq.exe 3204 sczeojbjsotzz.exe 3204 sczeojbjsotzz.exe 3824 fpwiaaytbq.exe 3204 sczeojbjsotzz.exe 3204 sczeojbjsotzz.exe 3824 fpwiaaytbq.exe 3824 fpwiaaytbq.exe 3824 fpwiaaytbq.exe 3824 fpwiaaytbq.exe 3824 fpwiaaytbq.exe 3824 fpwiaaytbq.exe 3824 fpwiaaytbq.exe 3824 fpwiaaytbq.exe 1720 icloyufl.exe 1720 icloyufl.exe 1720 icloyufl.exe 1720 icloyufl.exe 1720 icloyufl.exe 1720 icloyufl.exe 1720 icloyufl.exe 1720 icloyufl.exe 4384 trsbixxhbjawcnj.exe 4384 trsbixxhbjawcnj.exe 3204 sczeojbjsotzz.exe 3204 sczeojbjsotzz.exe 3204 sczeojbjsotzz.exe 3204 sczeojbjsotzz.exe 3000 icloyufl.exe 3000 icloyufl.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 4384 trsbixxhbjawcnj.exe 4384 trsbixxhbjawcnj.exe 4384 trsbixxhbjawcnj.exe 3824 fpwiaaytbq.exe 3204 sczeojbjsotzz.exe 1720 icloyufl.exe 3824 fpwiaaytbq.exe 3204 sczeojbjsotzz.exe 1720 icloyufl.exe 3824 fpwiaaytbq.exe 3204 sczeojbjsotzz.exe 1720 icloyufl.exe 3000 icloyufl.exe 3000 icloyufl.exe 3000 icloyufl.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 4384 trsbixxhbjawcnj.exe 4384 trsbixxhbjawcnj.exe 4384 trsbixxhbjawcnj.exe 3824 fpwiaaytbq.exe 3204 sczeojbjsotzz.exe 1720 icloyufl.exe 3824 fpwiaaytbq.exe 3204 sczeojbjsotzz.exe 1720 icloyufl.exe 3824 fpwiaaytbq.exe 3204 sczeojbjsotzz.exe 1720 icloyufl.exe 3000 icloyufl.exe 3000 icloyufl.exe 3000 icloyufl.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3596 WINWORD.EXE 3596 WINWORD.EXE 3596 WINWORD.EXE 3596 WINWORD.EXE 3596 WINWORD.EXE 3596 WINWORD.EXE 3596 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2032 wrote to memory of 3824 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 86 PID 2032 wrote to memory of 3824 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 86 PID 2032 wrote to memory of 3824 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 86 PID 2032 wrote to memory of 4384 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 87 PID 2032 wrote to memory of 4384 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 87 PID 2032 wrote to memory of 4384 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 87 PID 2032 wrote to memory of 1720 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 88 PID 2032 wrote to memory of 1720 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 88 PID 2032 wrote to memory of 1720 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 88 PID 2032 wrote to memory of 3204 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 89 PID 2032 wrote to memory of 3204 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 89 PID 2032 wrote to memory of 3204 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 89 PID 2032 wrote to memory of 3596 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 90 PID 2032 wrote to memory of 3596 2032 dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe 90 PID 3824 wrote to memory of 3000 3824 fpwiaaytbq.exe 92 PID 3824 wrote to memory of 3000 3824 fpwiaaytbq.exe 92 PID 3824 wrote to memory of 3000 3824 fpwiaaytbq.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\fpwiaaytbq.exefpwiaaytbq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\icloyufl.exeC:\Windows\system32\icloyufl.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3000
-
-
-
C:\Windows\SysWOW64\trsbixxhbjawcnj.exetrsbixxhbjawcnj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4384
-
-
C:\Windows\SysWOW64\icloyufl.exeicloyufl.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1720
-
-
C:\Windows\SysWOW64\sczeojbjsotzz.exesczeojbjsotzz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3204
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3596
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD51ec0e877baa913360302e094857b7b07
SHA16b9c24f434903ad8aa2dbaa07082a1f8a1290e4e
SHA256aa6ac7fa9d922ff0b671cc110081efe55b84ad30f14670f6e77a0c1041a5fbcc
SHA512a09d1da737a70ddbbde2e8abcb42664703ba649b010ee8418d030b2a80b1cdec030a3222c89e30eaa11baf678c337a41275423b8975ec0220e24d7ffb87b04ab
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
344B
MD53c4f9a1db057cccebbdfe224755f5c03
SHA1db9524f62caa19e935d1bfa92d782ef7eb7440a2
SHA25657b119bb65c1b3d258f428e980878147547293cff65bd1dabae94a671c8e3616
SHA5121801354993c7bc47a0f2a21a2a4a8e055963127efe62f7f671d2f57b0c0cfee52afcc0ea0609887f260d444c63655a8565ca7d3f399efb7e09777787b9975458
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5b5fe056544b8b2f7e47139d0168b93a3
SHA18ef0cdc7c60a95c7f1fa5424fc7f8399ef605904
SHA2562625f7316fb97476aea8ac1ac16800c8c774b94a44e5db4b5f777915bcb675b8
SHA512b29495ce0ea91eeeb918efbd54e8501ee67f3409933935997fd07bd6cc5489e38ce4c278a91fa96088e00f3a6b14d43691ba18df9eece536447bf51d90e18ed8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5023a7c7e7e82c1ff191c7c0486227605
SHA1cf73ef8e2afb57ec96edb085c743320936c781f2
SHA256365f28060213d45bfba0043f6afe387357ecbbcce23193033db6a462dbad11bf
SHA5125618a61c37328075b2ab35762cdd7ecaff127873d66d4bb34e3828576bc6253678680d313d56c45e04d180b5ce27a9e5c62eaa4e3c70ed32bc52e2b31326e059
-
Filesize
512KB
MD5d5026f882ea4eb8574abddacb3876d8a
SHA1a2df1bb6118f1ec5b18c8d09f30634174a5a77be
SHA256551835f8cb30769dd5750f9ed96e2032614658af3e9f25e45a3befbc52db0f1a
SHA512fd50a036c62fe00a029db886281340d512edf2b673c0aabebd6f35f4840dfd565f4eeb026c8d480f432929746d9aff0c52fd22fbe65c13141209c0a8da903482
-
Filesize
512KB
MD5b79a0f82a27d0f66dc343667507ee362
SHA1e5a217d5967bd77a186569241670363a973cefc3
SHA256e11d69a9dccb3b3fe5c6b1c2685f04bdf30d7bb68506604420b67b60ef50132e
SHA512fa5732af370c678f6ba89daeac4d0cadff84b5a3b334e409454766dcb28b29ed1b51118595d13ae0daee2b65107d7fe8f46b3f5411b3ae9d5dbbc95c3fde6607
-
Filesize
512KB
MD50af68fa3b1663d060bca5d6af8aedb25
SHA10e1f80b097e85fe305783357e0d905ba6ef199a9
SHA256ecb8048d869a17478528937df25eb6583a6faf9e0c09405acddc98a60ba648af
SHA5120a12f469e3b8e8ccd30ee87d25aea02a3dcb5af4bb42c57bfaa954f2b8ac06ac328d0470646f73eb3b8481fb8b931811b3a15979885283d165be96656bde3679
-
Filesize
512KB
MD5111338d0ba33db05a19f88461cf02c2f
SHA11d1aabcc1df3c069993e42a79c27fe33dd544ee4
SHA256aa400cd57d9f562cdbe67c1b9bb83834892d6696f6da3838ff46547f46f9a9fe
SHA5121eb11b6ee3a249906eb2fd22beff5bc51845fece20b1abccb1b4e247e2a6a2a0b0445d4be1181d0850299ea68316a20ab88de1b59c451cfabfad4265a574a760
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5797634555c7cb0bad0336493766a1640
SHA148918d8a7db408946d787b483e02cb946abe78a3
SHA2567a25689c87d177623331b5e4e954d2dd291959500db10fa1a52b4bdad7152faa
SHA5127fcf6f18d5a5748760e12fd7688d819752ad9b4d52738e652162df1a22bfd0eeb5415a1b55382765e40fde6784c0927ae88b48667085f18ef673813a800e4002
-
Filesize
512KB
MD5ef9927cf5564dc21ceff614b7939efc8
SHA18d1f4fc9533b79a73a4e00e77e1d96f19d79c25c
SHA256d8400dcc91889930864875c0d9dcf3d89fc5d5d60208ac817d747ed95200c0a9
SHA5124aa9de3055c34b885f91a0b993ed05587037b1378a22c782ec32446dd5bca5084befa5e691ad684f1e010c45aec06dfb0df53df9b66c2ef7889eee16b6b17375