Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 22:08
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe
-
Size
512KB
-
MD5
ee849dcee1607b4e7a2f1c69f2ff547b
-
SHA1
ea661a9c9b1b50698574b21829690f3622ba3649
-
SHA256
62307422f67e2c10ea5621efabfa761d2bc32bcf8e03ba7ad4100b1231bd9aa7
-
SHA512
3efe7d24280c0e8e390278da707dad635c562c3ac322bcaefabff42641b968db242aafd689b453134dedc4a1b2dacd5a282d2cbb436487ed44236208aca00262
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm57
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rzuerpeabb.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rzuerpeabb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rzuerpeabb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rzuerpeabb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rzuerpeabb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rzuerpeabb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rzuerpeabb.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rzuerpeabb.exe -
Executes dropped EXE 5 IoCs
pid Process 2484 rzuerpeabb.exe 2192 ryrnstqgbmouhis.exe 2200 nbbdsxlx.exe 2756 ydnuhwdxepckc.exe 2744 nbbdsxlx.exe -
Loads dropped DLL 5 IoCs
pid Process 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 2484 rzuerpeabb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rzuerpeabb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rzuerpeabb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rzuerpeabb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rzuerpeabb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rzuerpeabb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rzuerpeabb.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lyvlkjfo = "rzuerpeabb.exe" ryrnstqgbmouhis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gjqlwdgy = "ryrnstqgbmouhis.exe" ryrnstqgbmouhis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ydnuhwdxepckc.exe" ryrnstqgbmouhis.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\m: nbbdsxlx.exe File opened (read-only) \??\q: nbbdsxlx.exe File opened (read-only) \??\z: nbbdsxlx.exe File opened (read-only) \??\s: nbbdsxlx.exe File opened (read-only) \??\e: rzuerpeabb.exe File opened (read-only) \??\h: rzuerpeabb.exe File opened (read-only) \??\e: nbbdsxlx.exe File opened (read-only) \??\h: nbbdsxlx.exe File opened (read-only) \??\y: nbbdsxlx.exe File opened (read-only) \??\k: rzuerpeabb.exe File opened (read-only) \??\z: rzuerpeabb.exe File opened (read-only) \??\s: nbbdsxlx.exe File opened (read-only) \??\x: nbbdsxlx.exe File opened (read-only) \??\l: rzuerpeabb.exe File opened (read-only) \??\g: nbbdsxlx.exe File opened (read-only) \??\a: nbbdsxlx.exe File opened (read-only) \??\p: nbbdsxlx.exe File opened (read-only) \??\p: rzuerpeabb.exe File opened (read-only) \??\k: nbbdsxlx.exe File opened (read-only) \??\h: nbbdsxlx.exe File opened (read-only) \??\o: nbbdsxlx.exe File opened (read-only) \??\o: nbbdsxlx.exe File opened (read-only) \??\l: nbbdsxlx.exe File opened (read-only) \??\r: nbbdsxlx.exe File opened (read-only) \??\m: nbbdsxlx.exe File opened (read-only) \??\b: rzuerpeabb.exe File opened (read-only) \??\r: rzuerpeabb.exe File opened (read-only) \??\b: nbbdsxlx.exe File opened (read-only) \??\b: nbbdsxlx.exe File opened (read-only) \??\t: nbbdsxlx.exe File opened (read-only) \??\z: nbbdsxlx.exe File opened (read-only) \??\w: rzuerpeabb.exe File opened (read-only) \??\p: nbbdsxlx.exe File opened (read-only) \??\t: nbbdsxlx.exe File opened (read-only) \??\q: nbbdsxlx.exe File opened (read-only) \??\y: rzuerpeabb.exe File opened (read-only) \??\l: nbbdsxlx.exe File opened (read-only) \??\e: nbbdsxlx.exe File opened (read-only) \??\a: nbbdsxlx.exe File opened (read-only) \??\r: nbbdsxlx.exe File opened (read-only) \??\v: nbbdsxlx.exe File opened (read-only) \??\g: nbbdsxlx.exe File opened (read-only) \??\q: rzuerpeabb.exe File opened (read-only) \??\u: rzuerpeabb.exe File opened (read-only) \??\j: nbbdsxlx.exe File opened (read-only) \??\y: nbbdsxlx.exe File opened (read-only) \??\a: rzuerpeabb.exe File opened (read-only) \??\g: rzuerpeabb.exe File opened (read-only) \??\n: nbbdsxlx.exe File opened (read-only) \??\u: nbbdsxlx.exe File opened (read-only) \??\x: rzuerpeabb.exe File opened (read-only) \??\w: nbbdsxlx.exe File opened (read-only) \??\m: rzuerpeabb.exe File opened (read-only) \??\n: rzuerpeabb.exe File opened (read-only) \??\s: rzuerpeabb.exe File opened (read-only) \??\v: rzuerpeabb.exe File opened (read-only) \??\i: nbbdsxlx.exe File opened (read-only) \??\u: nbbdsxlx.exe File opened (read-only) \??\j: rzuerpeabb.exe File opened (read-only) \??\o: rzuerpeabb.exe File opened (read-only) \??\n: nbbdsxlx.exe File opened (read-only) \??\w: nbbdsxlx.exe File opened (read-only) \??\i: rzuerpeabb.exe File opened (read-only) \??\v: nbbdsxlx.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rzuerpeabb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rzuerpeabb.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2168-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0007000000015ec9-9.dat autoit_exe behavioral1/files/0x000c000000012267-20.dat autoit_exe behavioral1/files/0x0007000000015d81-25.dat autoit_exe behavioral1/files/0x0007000000015f71-32.dat autoit_exe behavioral1/files/0x0009000000015d2a-59.dat autoit_exe behavioral1/files/0x0007000000016d2e-65.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\ryrnstqgbmouhis.exe ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe File created C:\Windows\SysWOW64\rzuerpeabb.exe ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rzuerpeabb.exe ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ryrnstqgbmouhis.exe ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe File created C:\Windows\SysWOW64\nbbdsxlx.exe ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\nbbdsxlx.exe ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe File created C:\Windows\SysWOW64\ydnuhwdxepckc.exe ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ydnuhwdxepckc.exe ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rzuerpeabb.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe nbbdsxlx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe nbbdsxlx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe nbbdsxlx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe nbbdsxlx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe nbbdsxlx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe nbbdsxlx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal nbbdsxlx.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe nbbdsxlx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe nbbdsxlx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal nbbdsxlx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe nbbdsxlx.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe nbbdsxlx.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe nbbdsxlx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal nbbdsxlx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal nbbdsxlx.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rzuerpeabb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ryrnstqgbmouhis.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbdsxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ydnuhwdxepckc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbdsxlx.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rzuerpeabb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rzuerpeabb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rzuerpeabb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FF83482E826D9130D6207D91BCE5E137584767446335D7EE" ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rzuerpeabb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rzuerpeabb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rzuerpeabb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC67B14E3DAB7B9BA7CE0EDE037B9" ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEF9BDFE16F19784083A45819A3996B08D02F94367023CE1BD42E909A9" ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rzuerpeabb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rzuerpeabb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rzuerpeabb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rzuerpeabb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412D0D9D2C83236D3E77D070232CDF7DF564DB" ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC5B1284797399F52CDB9A13299D4CE" ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD68C3FF1D21ABD27BD0A48A7F9165" ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rzuerpeabb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rzuerpeabb.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3060 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 2192 ryrnstqgbmouhis.exe 2192 ryrnstqgbmouhis.exe 2192 ryrnstqgbmouhis.exe 2192 ryrnstqgbmouhis.exe 2192 ryrnstqgbmouhis.exe 2484 rzuerpeabb.exe 2484 rzuerpeabb.exe 2484 rzuerpeabb.exe 2484 rzuerpeabb.exe 2484 rzuerpeabb.exe 2200 nbbdsxlx.exe 2200 nbbdsxlx.exe 2200 nbbdsxlx.exe 2200 nbbdsxlx.exe 2756 ydnuhwdxepckc.exe 2756 ydnuhwdxepckc.exe 2756 ydnuhwdxepckc.exe 2756 ydnuhwdxepckc.exe 2756 ydnuhwdxepckc.exe 2756 ydnuhwdxepckc.exe 2744 nbbdsxlx.exe 2744 nbbdsxlx.exe 2744 nbbdsxlx.exe 2744 nbbdsxlx.exe 2192 ryrnstqgbmouhis.exe 2756 ydnuhwdxepckc.exe 2756 ydnuhwdxepckc.exe 2192 ryrnstqgbmouhis.exe 2192 ryrnstqgbmouhis.exe 2756 ydnuhwdxepckc.exe 2756 ydnuhwdxepckc.exe 2192 ryrnstqgbmouhis.exe 2756 ydnuhwdxepckc.exe 2756 ydnuhwdxepckc.exe 2192 ryrnstqgbmouhis.exe 2756 ydnuhwdxepckc.exe 2756 ydnuhwdxepckc.exe 2192 ryrnstqgbmouhis.exe 2756 ydnuhwdxepckc.exe 2756 ydnuhwdxepckc.exe 2192 ryrnstqgbmouhis.exe 2756 ydnuhwdxepckc.exe 2756 ydnuhwdxepckc.exe 2192 ryrnstqgbmouhis.exe 2756 ydnuhwdxepckc.exe 2756 ydnuhwdxepckc.exe 2192 ryrnstqgbmouhis.exe 2756 ydnuhwdxepckc.exe 2756 ydnuhwdxepckc.exe 2192 ryrnstqgbmouhis.exe 2756 ydnuhwdxepckc.exe 2756 ydnuhwdxepckc.exe 2192 ryrnstqgbmouhis.exe 2756 ydnuhwdxepckc.exe 2756 ydnuhwdxepckc.exe 2192 ryrnstqgbmouhis.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 2484 rzuerpeabb.exe 2192 ryrnstqgbmouhis.exe 2192 ryrnstqgbmouhis.exe 2192 ryrnstqgbmouhis.exe 2484 rzuerpeabb.exe 2484 rzuerpeabb.exe 2200 nbbdsxlx.exe 2200 nbbdsxlx.exe 2200 nbbdsxlx.exe 2756 ydnuhwdxepckc.exe 2756 ydnuhwdxepckc.exe 2756 ydnuhwdxepckc.exe 2744 nbbdsxlx.exe 2744 nbbdsxlx.exe 2744 nbbdsxlx.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 2484 rzuerpeabb.exe 2192 ryrnstqgbmouhis.exe 2192 ryrnstqgbmouhis.exe 2192 ryrnstqgbmouhis.exe 2484 rzuerpeabb.exe 2484 rzuerpeabb.exe 2200 nbbdsxlx.exe 2200 nbbdsxlx.exe 2200 nbbdsxlx.exe 2756 ydnuhwdxepckc.exe 2756 ydnuhwdxepckc.exe 2756 ydnuhwdxepckc.exe 2744 nbbdsxlx.exe 2744 nbbdsxlx.exe 2744 nbbdsxlx.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3060 WINWORD.EXE 3060 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2484 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 30 PID 2168 wrote to memory of 2484 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 30 PID 2168 wrote to memory of 2484 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 30 PID 2168 wrote to memory of 2484 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 30 PID 2168 wrote to memory of 2192 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 31 PID 2168 wrote to memory of 2192 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 31 PID 2168 wrote to memory of 2192 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 31 PID 2168 wrote to memory of 2192 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 31 PID 2168 wrote to memory of 2200 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 32 PID 2168 wrote to memory of 2200 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 32 PID 2168 wrote to memory of 2200 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 32 PID 2168 wrote to memory of 2200 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 32 PID 2168 wrote to memory of 2756 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 33 PID 2168 wrote to memory of 2756 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 33 PID 2168 wrote to memory of 2756 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 33 PID 2168 wrote to memory of 2756 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 33 PID 2484 wrote to memory of 2744 2484 rzuerpeabb.exe 34 PID 2484 wrote to memory of 2744 2484 rzuerpeabb.exe 34 PID 2484 wrote to memory of 2744 2484 rzuerpeabb.exe 34 PID 2484 wrote to memory of 2744 2484 rzuerpeabb.exe 34 PID 2168 wrote to memory of 3060 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 35 PID 2168 wrote to memory of 3060 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 35 PID 2168 wrote to memory of 3060 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 35 PID 2168 wrote to memory of 3060 2168 ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe 35 PID 3060 wrote to memory of 2836 3060 WINWORD.EXE 38 PID 3060 wrote to memory of 2836 3060 WINWORD.EXE 38 PID 3060 wrote to memory of 2836 3060 WINWORD.EXE 38 PID 3060 wrote to memory of 2836 3060 WINWORD.EXE 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ee849dcee1607b4e7a2f1c69f2ff547b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\rzuerpeabb.exerzuerpeabb.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\nbbdsxlx.exeC:\Windows\system32\nbbdsxlx.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2744
-
-
-
C:\Windows\SysWOW64\ryrnstqgbmouhis.exeryrnstqgbmouhis.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2192
-
-
C:\Windows\SysWOW64\nbbdsxlx.exenbbdsxlx.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2200
-
-
C:\Windows\SysWOW64\ydnuhwdxepckc.exeydnuhwdxepckc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2756
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2836
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5bd4a99f533edaf9b9b3fd1af6ba9d1e7
SHA1242d8edfaea53022b170023aa3aeaff2ad74398a
SHA25661db46e9dafa20679c1c81e8d01fefefb42151c875d0205df80efbe8dca2af3e
SHA512c4f860730be5c00ff14d6d2dbc1cd44596d69489c16a5e428ee60f6c431a849c2d53d9d9eee374e237c9c0c5dec76dd0a40b2cac1261c3e3c4a82d333c4c90df
-
Filesize
512KB
MD56bacc72fb01ec6ec4ec01f5993bc25de
SHA156ae5e152d3eb49e1929216d7339f82364471e59
SHA256e5fa3cbc422580de7ff5edfcb97896bf4d0690cd62622d25d007d22c05f3025a
SHA512c5a5ec3236bef0d196c62211d9e62ac1baf88468e77ab634f8c32d46e718a9c13dafd9c709dc4e22edbf09ccc47222fb03ee8011e69d58a89f79ee8012032093
-
Filesize
19KB
MD572a83d1f8e4a13345da3ff5209d63e02
SHA16a5e6eab4d4223e44ce8c5babf0e92936c147b5d
SHA2561c137a6d8813d3f16c1c0ed903b5161825601ac02fba50fc1e13081ddb6d4ac6
SHA512343c8527059339df769e50e0eae64b72c5cde77f5e2eb59e5343a41ec85cb6efefe858cfed99761498ae074a9562d02d60e6a441659f0e8329ac10fb6d5eb2dc
-
Filesize
512KB
MD54699f890f1212b1cccb346310fbacfbf
SHA1fb589c0b1741a0bfd8963ce5de9e3a4ffb8da890
SHA25606ac649fdada455c2f8f0195b236c552465674a3d6af92b8b434f1a614f0d4f6
SHA512bb3752a3677f2bc535d2987406564d1cd7039a7afb4c13f1530bd53f95242c4a98f470c3f9332913ccffc0bf3d004aca3a4387b33165afa527e78c54724819ee
-
Filesize
512KB
MD5c3529a2e7ed84a7f21e793152cc2867e
SHA136ec6bb0e711b7228924987f837fe285103eb350
SHA2568f5c4940f7c82e70745f014b3f82b8f55b71bd34757c45ce9386c3bcfa8c149e
SHA512e034e53b3704856db888d3b818b7b0e773fe79c0f45436144c85466ef16c4d7006c409df4817633d9c401c70e81df08b2487a6f370fd392213e55b5cc89e5acf
-
Filesize
512KB
MD51788c5e370ebed6dcb0eda6979276eee
SHA1d22f8e39df223940f6f0411ed1957c0f6852c201
SHA2569729de0272b39ac3918a781c797a3cacd02ca904f79980ac31f03f1800453e61
SHA5124c35ba5e71495ccdd17710822398d899421ee33938e0d2e8da3526c58203e05acca61e0733f32b72977c970c0339b9258fb97ae32c5ffc82652e6fc4cbd06fc3
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD536a438c954c9fd3037c68ae447b1bf44
SHA11f4094702ade01faebd10b1aca046da8a5a7cd38
SHA25620a6227b7899d83e07ffff3801255c923a01dbc02ec9df0e29c784bb8993db6e
SHA5122d6c931fafb733e59c750237985df6cd0e444ce3c373624ccbb03587cba11d1243c8873fb471e2aa7c9f80b73d808de8352dc025d89d7647dd8f305b8d7ec8bc