Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/09/2024, 06:26
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe
-
Size
512KB
-
MD5
e1e2a51f4bed9b584bccb521b199bac8
-
SHA1
6e78985940248bf47418ea617a406502b7d58be1
-
SHA256
82a9956c3cdc8007b2d8c4b3ce009501df7f6089b8d8efe7df19bca4d176bfa9
-
SHA512
decac079fc0743936c244d91126fde8eeed721ef394253e928285274e8b8b03e04df35f1e0669f2e34b86696d87d6afe4eccba662f4a14dde579ebdaa57a8c09
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6M:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5N
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" wumpazsjwv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wumpazsjwv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wumpazsjwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wumpazsjwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wumpazsjwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wumpazsjwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" wumpazsjwv.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wumpazsjwv.exe -
Executes dropped EXE 5 IoCs
pid Process 1812 wumpazsjwv.exe 2328 jslpxbkoctgwfrw.exe 1832 jirphyhi.exe 1852 egfcdsfnarhqu.exe 2016 jirphyhi.exe -
Loads dropped DLL 5 IoCs
pid Process 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 1812 wumpazsjwv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wumpazsjwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wumpazsjwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wumpazsjwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" wumpazsjwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wumpazsjwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" wumpazsjwv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yvpuspku = "jslpxbkoctgwfrw.exe" jslpxbkoctgwfrw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "egfcdsfnarhqu.exe" jslpxbkoctgwfrw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mtmqmelo = "wumpazsjwv.exe" jslpxbkoctgwfrw.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: jirphyhi.exe File opened (read-only) \??\g: jirphyhi.exe File opened (read-only) \??\n: jirphyhi.exe File opened (read-only) \??\t: jirphyhi.exe File opened (read-only) \??\e: jirphyhi.exe File opened (read-only) \??\m: jirphyhi.exe File opened (read-only) \??\z: jirphyhi.exe File opened (read-only) \??\w: wumpazsjwv.exe File opened (read-only) \??\h: jirphyhi.exe File opened (read-only) \??\l: jirphyhi.exe File opened (read-only) \??\p: jirphyhi.exe File opened (read-only) \??\r: jirphyhi.exe File opened (read-only) \??\t: jirphyhi.exe File opened (read-only) \??\g: wumpazsjwv.exe File opened (read-only) \??\l: wumpazsjwv.exe File opened (read-only) \??\t: wumpazsjwv.exe File opened (read-only) \??\y: jirphyhi.exe File opened (read-only) \??\a: wumpazsjwv.exe File opened (read-only) \??\n: wumpazsjwv.exe File opened (read-only) \??\u: jirphyhi.exe File opened (read-only) \??\j: jirphyhi.exe File opened (read-only) \??\l: jirphyhi.exe File opened (read-only) \??\p: wumpazsjwv.exe File opened (read-only) \??\i: jirphyhi.exe File opened (read-only) \??\q: wumpazsjwv.exe File opened (read-only) \??\g: jirphyhi.exe File opened (read-only) \??\o: jirphyhi.exe File opened (read-only) \??\r: jirphyhi.exe File opened (read-only) \??\o: jirphyhi.exe File opened (read-only) \??\e: wumpazsjwv.exe File opened (read-only) \??\i: wumpazsjwv.exe File opened (read-only) \??\j: wumpazsjwv.exe File opened (read-only) \??\m: wumpazsjwv.exe File opened (read-only) \??\b: jirphyhi.exe File opened (read-only) \??\a: jirphyhi.exe File opened (read-only) \??\v: wumpazsjwv.exe File opened (read-only) \??\a: jirphyhi.exe File opened (read-only) \??\q: jirphyhi.exe File opened (read-only) \??\v: jirphyhi.exe File opened (read-only) \??\k: wumpazsjwv.exe File opened (read-only) \??\y: wumpazsjwv.exe File opened (read-only) \??\j: jirphyhi.exe File opened (read-only) \??\k: jirphyhi.exe File opened (read-only) \??\m: jirphyhi.exe File opened (read-only) \??\p: jirphyhi.exe File opened (read-only) \??\s: jirphyhi.exe File opened (read-only) \??\y: jirphyhi.exe File opened (read-only) \??\z: jirphyhi.exe File opened (read-only) \??\k: jirphyhi.exe File opened (read-only) \??\x: jirphyhi.exe File opened (read-only) \??\w: jirphyhi.exe File opened (read-only) \??\x: jirphyhi.exe File opened (read-only) \??\w: jirphyhi.exe File opened (read-only) \??\b: wumpazsjwv.exe File opened (read-only) \??\s: wumpazsjwv.exe File opened (read-only) \??\h: wumpazsjwv.exe File opened (read-only) \??\x: wumpazsjwv.exe File opened (read-only) \??\e: jirphyhi.exe File opened (read-only) \??\b: jirphyhi.exe File opened (read-only) \??\h: jirphyhi.exe File opened (read-only) \??\q: jirphyhi.exe File opened (read-only) \??\s: jirphyhi.exe File opened (read-only) \??\v: jirphyhi.exe File opened (read-only) \??\u: wumpazsjwv.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" wumpazsjwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" wumpazsjwv.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2508-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x00080000000162b2-9.dat autoit_exe behavioral1/files/0x0008000000016115-21.dat autoit_exe behavioral1/files/0x0007000000012117-40.dat autoit_exe behavioral1/files/0x000800000001642d-39.dat autoit_exe behavioral1/files/0x0009000000015f3b-67.dat autoit_exe behavioral1/files/0x0008000000016d29-69.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\jslpxbkoctgwfrw.exe e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jirphyhi.exe e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll wumpazsjwv.exe File created C:\Windows\SysWOW64\wumpazsjwv.exe e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wumpazsjwv.exe e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jslpxbkoctgwfrw.exe e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe File created C:\Windows\SysWOW64\jirphyhi.exe e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe File created C:\Windows\SysWOW64\egfcdsfnarhqu.exe e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\egfcdsfnarhqu.exe e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jirphyhi.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jirphyhi.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jirphyhi.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal jirphyhi.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal jirphyhi.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal jirphyhi.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jirphyhi.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jirphyhi.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jirphyhi.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jirphyhi.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jirphyhi.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jirphyhi.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jirphyhi.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal jirphyhi.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wumpazsjwv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jslpxbkoctgwfrw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jirphyhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language egfcdsfnarhqu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jirphyhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" wumpazsjwv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs wumpazsjwv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFF9CEF961F29984783B4386E939E5B08C03F04316023EE1C8459B09D4" e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FFFB48268512913CD65D7D93BDE3E1335845674F623FD691" e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat wumpazsjwv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" wumpazsjwv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh wumpazsjwv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf wumpazsjwv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg wumpazsjwv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442D7D9C2482246A4677A177252CAD7CF265DF" e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B158449738E253BDB9A2329DD7CF" e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" wumpazsjwv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" wumpazsjwv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FC68B1FE6922D9D27DD0D28A759165" e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" wumpazsjwv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc wumpazsjwv.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C70C14E2DBBEB9BE7FE4ED9537CC" e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" wumpazsjwv.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1712 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 1852 egfcdsfnarhqu.exe 1852 egfcdsfnarhqu.exe 1852 egfcdsfnarhqu.exe 1852 egfcdsfnarhqu.exe 1852 egfcdsfnarhqu.exe 1852 egfcdsfnarhqu.exe 2328 jslpxbkoctgwfrw.exe 2328 jslpxbkoctgwfrw.exe 2328 jslpxbkoctgwfrw.exe 2328 jslpxbkoctgwfrw.exe 2328 jslpxbkoctgwfrw.exe 1812 wumpazsjwv.exe 1812 wumpazsjwv.exe 1812 wumpazsjwv.exe 1812 wumpazsjwv.exe 1812 wumpazsjwv.exe 1832 jirphyhi.exe 1832 jirphyhi.exe 1832 jirphyhi.exe 1832 jirphyhi.exe 2016 jirphyhi.exe 2016 jirphyhi.exe 2016 jirphyhi.exe 2016 jirphyhi.exe 2328 jslpxbkoctgwfrw.exe 1852 egfcdsfnarhqu.exe 1852 egfcdsfnarhqu.exe 2328 jslpxbkoctgwfrw.exe 2328 jslpxbkoctgwfrw.exe 1852 egfcdsfnarhqu.exe 1852 egfcdsfnarhqu.exe 2328 jslpxbkoctgwfrw.exe 1852 egfcdsfnarhqu.exe 1852 egfcdsfnarhqu.exe 2328 jslpxbkoctgwfrw.exe 1852 egfcdsfnarhqu.exe 1852 egfcdsfnarhqu.exe 2328 jslpxbkoctgwfrw.exe 1852 egfcdsfnarhqu.exe 1852 egfcdsfnarhqu.exe 2328 jslpxbkoctgwfrw.exe 1852 egfcdsfnarhqu.exe 1852 egfcdsfnarhqu.exe 2328 jslpxbkoctgwfrw.exe 1852 egfcdsfnarhqu.exe 1852 egfcdsfnarhqu.exe 2328 jslpxbkoctgwfrw.exe 1852 egfcdsfnarhqu.exe 1852 egfcdsfnarhqu.exe 2328 jslpxbkoctgwfrw.exe 1852 egfcdsfnarhqu.exe 1852 egfcdsfnarhqu.exe 2328 jslpxbkoctgwfrw.exe 1852 egfcdsfnarhqu.exe 1852 egfcdsfnarhqu.exe 2328 jslpxbkoctgwfrw.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 1852 egfcdsfnarhqu.exe 1852 egfcdsfnarhqu.exe 1852 egfcdsfnarhqu.exe 2328 jslpxbkoctgwfrw.exe 2328 jslpxbkoctgwfrw.exe 2328 jslpxbkoctgwfrw.exe 1812 wumpazsjwv.exe 1812 wumpazsjwv.exe 1812 wumpazsjwv.exe 1832 jirphyhi.exe 1832 jirphyhi.exe 1832 jirphyhi.exe 2016 jirphyhi.exe 2016 jirphyhi.exe 2016 jirphyhi.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 1852 egfcdsfnarhqu.exe 1852 egfcdsfnarhqu.exe 1852 egfcdsfnarhqu.exe 2328 jslpxbkoctgwfrw.exe 2328 jslpxbkoctgwfrw.exe 2328 jslpxbkoctgwfrw.exe 1812 wumpazsjwv.exe 1812 wumpazsjwv.exe 1812 wumpazsjwv.exe 1832 jirphyhi.exe 1832 jirphyhi.exe 1832 jirphyhi.exe 2016 jirphyhi.exe 2016 jirphyhi.exe 2016 jirphyhi.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1712 WINWORD.EXE 1712 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2508 wrote to memory of 1812 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 30 PID 2508 wrote to memory of 1812 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 30 PID 2508 wrote to memory of 1812 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 30 PID 2508 wrote to memory of 1812 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 30 PID 2508 wrote to memory of 2328 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 31 PID 2508 wrote to memory of 2328 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 31 PID 2508 wrote to memory of 2328 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 31 PID 2508 wrote to memory of 2328 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 31 PID 2508 wrote to memory of 1832 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 32 PID 2508 wrote to memory of 1832 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 32 PID 2508 wrote to memory of 1832 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 32 PID 2508 wrote to memory of 1832 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 32 PID 2508 wrote to memory of 1852 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 33 PID 2508 wrote to memory of 1852 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 33 PID 2508 wrote to memory of 1852 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 33 PID 2508 wrote to memory of 1852 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 33 PID 1812 wrote to memory of 2016 1812 wumpazsjwv.exe 34 PID 1812 wrote to memory of 2016 1812 wumpazsjwv.exe 34 PID 1812 wrote to memory of 2016 1812 wumpazsjwv.exe 34 PID 1812 wrote to memory of 2016 1812 wumpazsjwv.exe 34 PID 2508 wrote to memory of 1712 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 35 PID 2508 wrote to memory of 1712 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 35 PID 2508 wrote to memory of 1712 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 35 PID 2508 wrote to memory of 1712 2508 e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe 35 PID 1712 wrote to memory of 2776 1712 WINWORD.EXE 37 PID 1712 wrote to memory of 2776 1712 WINWORD.EXE 37 PID 1712 wrote to memory of 2776 1712 WINWORD.EXE 37 PID 1712 wrote to memory of 2776 1712 WINWORD.EXE 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\wumpazsjwv.exewumpazsjwv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\jirphyhi.exeC:\Windows\system32\jirphyhi.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2016
-
-
-
C:\Windows\SysWOW64\jslpxbkoctgwfrw.exejslpxbkoctgwfrw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2328
-
-
C:\Windows\SysWOW64\jirphyhi.exejirphyhi.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1832
-
-
C:\Windows\SysWOW64\egfcdsfnarhqu.exeegfcdsfnarhqu.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1852
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2776
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD555300f8a92c701dafa4b75f2838f292a
SHA145e1a8b39c55ad288eafff9c810a9de378cdf0bc
SHA256f6acc3b9ee3b496ef63beb0fd23fc9757144c861c37cb536f15cfa7037421c3c
SHA512487d1938821b17737017e54b3c2ab681904395cbe62f2a6b09309fa35a6afc09ffcb6057beff6c8df67db66cd64cc9a04cd5ce83c1e8d186b828cc03d3d72029
-
Filesize
512KB
MD5b13ba5b34a1229a567c2c086d568c1cc
SHA17733d8174b87e500cd1572d795ea79fad1d43f5b
SHA256dd2f307f282aab00e2ddbcf6df36dd08818271b5515a1d65ecf7422b9cc525b8
SHA51236285604073c77a1355126471cd030eae6752e20fc569a5a601cfd5addf54725a61d8fecff91aac042dd90e530ca4ce8a822eb536736b6ca0aa905bbd7b513ec
-
Filesize
19KB
MD5dc08521aa32c76ea599b721004b8ac1d
SHA16f9a98b36634694a4e3847f6b8a1e23ceb3d03d6
SHA2568f2b7e326b4a47ff916b58cc329ad964a7813fe6dccc0b519660ede8ae4ff2fe
SHA512493971476caf1a39a78f559c857a7e6de84387e500d975ab88e406eb86604f757486935499f1d5992a3223c36d9d2434f4eeb6cc5915ccf2938156bdd4d5910e
-
Filesize
512KB
MD5fc2172d02aec033680e73129e4e435bd
SHA1754a774d3d508dd44ed56eefa08f9cf45a0fdd66
SHA256d7c6bce5cac1c66a2bad7f9dbfe304f826ceb0e6cb9024afd10db569d0cf9c24
SHA5122877c9739ce8f6536be9191e5671c0456b3b2db3a2f2533a174de3317dfa1bc4ba9523743ae0165b264bfaf2faf76a958a82eab7935ede5e9676a1143a5c5ce7
-
Filesize
512KB
MD580a68e1d7ac5e7efe5ff88939a2aa078
SHA1c91845385b2e2a26bf19f342c922f2b88046da4e
SHA256fc835ca856ed1c7ff5777bc357d12b6041bcfb694aee8e328a00295aa7534f38
SHA512e197686878142fdbd840a37a5ba74e6d5620b2b67220a5a0580515962db6c1aa1168b354bf2a65d344e831e7ebc63730056ce3c8d7fd3430e5f13811a92e10bb
-
Filesize
512KB
MD51620e2fe21c2d93914ba2d1d7228babc
SHA10c64aaf78a378b6f8b7683a2d1cbcc2d3d17752e
SHA2568db27d516ccb0a031bdbd17caa10c1121b479cf45a1c0d27316b8530ecb9bff7
SHA512c247e3049f0b2eb26f2edf57751222e8970e12aa190b3aecbe38b97875af006439c0e56820b5076cd3a7d85cd23ad27ccbca293f65e87bac93ad58af84138fdd
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5946347cbe2740c91a5b1bcd919487b8b
SHA102fda0f73475bf8893f39199a166a5691c3c656d
SHA25640c9b5b0ab9fd606808334fe2dc43d21d4127b79220c9faf89db454c91d9ba17
SHA5128dd73c6374d20d768164044b777474ed5362d67e0cc79925da857afe7abd7e1c1f3c1ef4befd323fdef1e0dd6510eedbb52d0055988d4eb1eb2a0036288b3861