Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 22:47
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe
-
Size
512KB
-
MD5
ee93a50df5c496640d8e0943f5efc2ce
-
SHA1
2e666ba4c55d23b077c5c307ff5f7c51ee7039a8
-
SHA256
c5a2b0d2b91620edfb58e777c9e7dcf44b11e8347a822ee3c659fdf81b318077
-
SHA512
e217e6490554b18141cfabbd7939064eff706c315d06e0af7e9d1aa92745d1b576ce1382c1f30e5674a3fcf4c7bae855957e81923397a837fe529b1b618772d5
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6K:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5R
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tsyzeztzbw.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tsyzeztzbw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tsyzeztzbw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tsyzeztzbw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tsyzeztzbw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tsyzeztzbw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tsyzeztzbw.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tsyzeztzbw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1488 tsyzeztzbw.exe 4992 etoprslfhjrwtlj.exe 4996 xbzazihz.exe 1400 takkhchqmqgmr.exe 4896 xbzazihz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tsyzeztzbw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tsyzeztzbw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tsyzeztzbw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tsyzeztzbw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tsyzeztzbw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tsyzeztzbw.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xzatvxic = "tsyzeztzbw.exe" etoprslfhjrwtlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sjometke = "etoprslfhjrwtlj.exe" etoprslfhjrwtlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "takkhchqmqgmr.exe" etoprslfhjrwtlj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: tsyzeztzbw.exe File opened (read-only) \??\r: tsyzeztzbw.exe File opened (read-only) \??\s: xbzazihz.exe File opened (read-only) \??\e: xbzazihz.exe File opened (read-only) \??\h: xbzazihz.exe File opened (read-only) \??\t: xbzazihz.exe File opened (read-only) \??\g: xbzazihz.exe File opened (read-only) \??\p: xbzazihz.exe File opened (read-only) \??\q: xbzazihz.exe File opened (read-only) \??\h: tsyzeztzbw.exe File opened (read-only) \??\i: tsyzeztzbw.exe File opened (read-only) \??\k: tsyzeztzbw.exe File opened (read-only) \??\u: xbzazihz.exe File opened (read-only) \??\y: xbzazihz.exe File opened (read-only) \??\z: xbzazihz.exe File opened (read-only) \??\a: tsyzeztzbw.exe File opened (read-only) \??\b: tsyzeztzbw.exe File opened (read-only) \??\q: tsyzeztzbw.exe File opened (read-only) \??\j: xbzazihz.exe File opened (read-only) \??\p: xbzazihz.exe File opened (read-only) \??\i: xbzazihz.exe File opened (read-only) \??\l: xbzazihz.exe File opened (read-only) \??\s: tsyzeztzbw.exe File opened (read-only) \??\b: xbzazihz.exe File opened (read-only) \??\v: xbzazihz.exe File opened (read-only) \??\w: xbzazihz.exe File opened (read-only) \??\g: xbzazihz.exe File opened (read-only) \??\k: xbzazihz.exe File opened (read-only) \??\r: xbzazihz.exe File opened (read-only) \??\u: xbzazihz.exe File opened (read-only) \??\l: tsyzeztzbw.exe File opened (read-only) \??\v: tsyzeztzbw.exe File opened (read-only) \??\x: xbzazihz.exe File opened (read-only) \??\e: tsyzeztzbw.exe File opened (read-only) \??\s: xbzazihz.exe File opened (read-only) \??\y: xbzazihz.exe File opened (read-only) \??\m: tsyzeztzbw.exe File opened (read-only) \??\o: tsyzeztzbw.exe File opened (read-only) \??\u: tsyzeztzbw.exe File opened (read-only) \??\x: tsyzeztzbw.exe File opened (read-only) \??\h: xbzazihz.exe File opened (read-only) \??\l: xbzazihz.exe File opened (read-only) \??\r: xbzazihz.exe File opened (read-only) \??\t: tsyzeztzbw.exe File opened (read-only) \??\z: tsyzeztzbw.exe File opened (read-only) \??\a: xbzazihz.exe File opened (read-only) \??\m: xbzazihz.exe File opened (read-only) \??\q: xbzazihz.exe File opened (read-only) \??\t: xbzazihz.exe File opened (read-only) \??\x: xbzazihz.exe File opened (read-only) \??\w: xbzazihz.exe File opened (read-only) \??\o: xbzazihz.exe File opened (read-only) \??\o: xbzazihz.exe File opened (read-only) \??\e: xbzazihz.exe File opened (read-only) \??\j: xbzazihz.exe File opened (read-only) \??\g: tsyzeztzbw.exe File opened (read-only) \??\n: tsyzeztzbw.exe File opened (read-only) \??\w: tsyzeztzbw.exe File opened (read-only) \??\i: xbzazihz.exe File opened (read-only) \??\a: xbzazihz.exe File opened (read-only) \??\m: xbzazihz.exe File opened (read-only) \??\z: xbzazihz.exe File opened (read-only) \??\j: tsyzeztzbw.exe File opened (read-only) \??\y: tsyzeztzbw.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tsyzeztzbw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tsyzeztzbw.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3224-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023437-5.dat autoit_exe behavioral2/files/0x00090000000233d9-18.dat autoit_exe behavioral2/files/0x0007000000023438-28.dat autoit_exe behavioral2/files/0x0007000000023439-30.dat autoit_exe behavioral2/files/0x0007000000023445-69.dat autoit_exe behavioral2/files/0x0007000000023446-75.dat autoit_exe behavioral2/files/0x000b00000002347a-195.dat autoit_exe behavioral2/files/0x000b00000002347a-461.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\tsyzeztzbw.exe ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe File created C:\Windows\SysWOW64\etoprslfhjrwtlj.exe ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\etoprslfhjrwtlj.exe ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe File created C:\Windows\SysWOW64\xbzazihz.exe ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xbzazihz.exe ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xbzazihz.exe File created C:\Windows\SysWOW64\tsyzeztzbw.exe ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\takkhchqmqgmr.exe ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tsyzeztzbw.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xbzazihz.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xbzazihz.exe File created C:\Windows\SysWOW64\takkhchqmqgmr.exe ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xbzazihz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xbzazihz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xbzazihz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xbzazihz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xbzazihz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xbzazihz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xbzazihz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xbzazihz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xbzazihz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xbzazihz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xbzazihz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xbzazihz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xbzazihz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xbzazihz.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xbzazihz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xbzazihz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xbzazihz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xbzazihz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xbzazihz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xbzazihz.exe File opened for modification C:\Windows\mydoc.rtf ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xbzazihz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xbzazihz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xbzazihz.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xbzazihz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xbzazihz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xbzazihz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xbzazihz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xbzazihz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xbzazihz.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xbzazihz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takkhchqmqgmr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbzazihz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbzazihz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsyzeztzbw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etoprslfhjrwtlj.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FFF9482B851A9130D75D7D9DBC97E144584667406333D6ED" ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08668C6FE1C22DCD109D1A68A099110" ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC67B15EDDAB6B8C17FE0ED9534CC" ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tsyzeztzbw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC3B12844E439E352C4BAA2329DD4CC" ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf tsyzeztzbw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" tsyzeztzbw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh tsyzeztzbw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACFF9B0F962F299840B3A4286973997B0FE02FE4211023EE2CA42EC08A0" ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat tsyzeztzbw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" tsyzeztzbw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" tsyzeztzbw.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" tsyzeztzbw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc tsyzeztzbw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" tsyzeztzbw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs tsyzeztzbw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg tsyzeztzbw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472D7B9D2082556A4277A177222DAD7DF565DE" ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3836 WINWORD.EXE 3836 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 1488 tsyzeztzbw.exe 1488 tsyzeztzbw.exe 1488 tsyzeztzbw.exe 1488 tsyzeztzbw.exe 1488 tsyzeztzbw.exe 1488 tsyzeztzbw.exe 1488 tsyzeztzbw.exe 1488 tsyzeztzbw.exe 1488 tsyzeztzbw.exe 1488 tsyzeztzbw.exe 1400 takkhchqmqgmr.exe 1400 takkhchqmqgmr.exe 1400 takkhchqmqgmr.exe 1400 takkhchqmqgmr.exe 1400 takkhchqmqgmr.exe 1400 takkhchqmqgmr.exe 1400 takkhchqmqgmr.exe 1400 takkhchqmqgmr.exe 1400 takkhchqmqgmr.exe 1400 takkhchqmqgmr.exe 1400 takkhchqmqgmr.exe 1400 takkhchqmqgmr.exe 4992 etoprslfhjrwtlj.exe 4992 etoprslfhjrwtlj.exe 4992 etoprslfhjrwtlj.exe 4992 etoprslfhjrwtlj.exe 4992 etoprslfhjrwtlj.exe 4992 etoprslfhjrwtlj.exe 4992 etoprslfhjrwtlj.exe 4992 etoprslfhjrwtlj.exe 4992 etoprslfhjrwtlj.exe 4992 etoprslfhjrwtlj.exe 4996 xbzazihz.exe 4996 xbzazihz.exe 4996 xbzazihz.exe 4996 xbzazihz.exe 4996 xbzazihz.exe 4996 xbzazihz.exe 4996 xbzazihz.exe 4996 xbzazihz.exe 4896 xbzazihz.exe 4896 xbzazihz.exe 4896 xbzazihz.exe 4896 xbzazihz.exe 4896 xbzazihz.exe 4896 xbzazihz.exe 4896 xbzazihz.exe 4896 xbzazihz.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 1488 tsyzeztzbw.exe 1488 tsyzeztzbw.exe 1488 tsyzeztzbw.exe 4992 etoprslfhjrwtlj.exe 4992 etoprslfhjrwtlj.exe 4992 etoprslfhjrwtlj.exe 4996 xbzazihz.exe 1400 takkhchqmqgmr.exe 4996 xbzazihz.exe 1400 takkhchqmqgmr.exe 4996 xbzazihz.exe 1400 takkhchqmqgmr.exe 4896 xbzazihz.exe 4896 xbzazihz.exe 4896 xbzazihz.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 1488 tsyzeztzbw.exe 1488 tsyzeztzbw.exe 1488 tsyzeztzbw.exe 4992 etoprslfhjrwtlj.exe 4992 etoprslfhjrwtlj.exe 4992 etoprslfhjrwtlj.exe 4996 xbzazihz.exe 1400 takkhchqmqgmr.exe 4996 xbzazihz.exe 1400 takkhchqmqgmr.exe 4996 xbzazihz.exe 1400 takkhchqmqgmr.exe 4896 xbzazihz.exe 4896 xbzazihz.exe 4896 xbzazihz.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3836 WINWORD.EXE 3836 WINWORD.EXE 3836 WINWORD.EXE 3836 WINWORD.EXE 3836 WINWORD.EXE 3836 WINWORD.EXE 3836 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3224 wrote to memory of 1488 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 82 PID 3224 wrote to memory of 1488 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 82 PID 3224 wrote to memory of 1488 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 82 PID 3224 wrote to memory of 4992 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 83 PID 3224 wrote to memory of 4992 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 83 PID 3224 wrote to memory of 4992 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 83 PID 3224 wrote to memory of 4996 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 84 PID 3224 wrote to memory of 4996 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 84 PID 3224 wrote to memory of 4996 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 84 PID 3224 wrote to memory of 1400 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 85 PID 3224 wrote to memory of 1400 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 85 PID 3224 wrote to memory of 1400 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 85 PID 1488 wrote to memory of 4896 1488 tsyzeztzbw.exe 86 PID 1488 wrote to memory of 4896 1488 tsyzeztzbw.exe 86 PID 1488 wrote to memory of 4896 1488 tsyzeztzbw.exe 86 PID 3224 wrote to memory of 3836 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 87 PID 3224 wrote to memory of 3836 3224 ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ee93a50df5c496640d8e0943f5efc2ce_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\tsyzeztzbw.exetsyzeztzbw.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\xbzazihz.exeC:\Windows\system32\xbzazihz.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4896
-
-
-
C:\Windows\SysWOW64\etoprslfhjrwtlj.exeetoprslfhjrwtlj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4992
-
-
C:\Windows\SysWOW64\xbzazihz.exexbzazihz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4996
-
-
C:\Windows\SysWOW64\takkhchqmqgmr.exetakkhchqmqgmr.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1400
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3836
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5a40d768732834b1baf6495a2474e5f50
SHA1719fb43ef7844698f30dfc7c877b9da6f68046c9
SHA256e5a376043ce60d5d142040e09c5c4cad95a6a38b1c11176b8b53566251dda064
SHA5124b0bb458349d271d0ed8d0e6f3ca8fa781a7e59d5c755771723333450c95b7ab9517c85009d8ba9322e2a3b4de56770b3e1ee68880c99ab85fe6781244900932
-
Filesize
512KB
MD56f42d125ae174dfab6e7b54ae22e8a8d
SHA135077a54ec6052f13bfe084b36d0d5080d848658
SHA256814bb60e7a82e66fefd8ebdece48538fb4bcbc0a25075681d6df1c044c1b8647
SHA5129a69cdb485d56ae87411a8574fa80e976854ff781fd5c593ec3a3809b5c969cf8cfc77fa1c1ad88a64a090fb0551d8b634d97b10ec83513b314d4e4e4049437a
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
295B
MD5c8c7f72302e1a07f8ef6682e22b550d6
SHA1b0d240036e25ba0d0651cfea5750690dd699987d
SHA2560708ee25df8ed2983ac2e37cf2c9122278c74a2cc271d926229e59be874c16fa
SHA512db63ab2e300d70ee662f495fa7663800ea62e42743a0a24a7da58acc160362f3766cfbab9792024567bdba48dd1dc22b6f1afe46c626194934ba9941a3c569ce
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD518309c227a19453a7b05d91710cfa7b0
SHA1daf56cad0bfedd4d4da46f5935ee42368d4fe089
SHA25664e9ed93a96105b6330d1aecef7564410c3a49a64dbaf286aacdffa60b640ba9
SHA5122be525fbcb562a5605e07a3d7b93dabb769444627fab02dad09b8ff7bea620fce91740a0381d0cadd9f768b91028bceb07a49477574d536e4ab1f36481702681
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD5317803e994dddc0cbdd62fba89ba0ed0
SHA191aed044246d836b39c52c59337042cf01f0f974
SHA2563cef172a7dda8bf0aa693f3174d6ad0f336c8939652766d640eb4f757623bbf6
SHA51216c9865cf80d913fd93131ab742d9cd7aa657e6c0c42f3870da6bc0353eca347e64aaf60604db45e99460eb9462dbd9802131b338c427e149a4b48a924935607
-
Filesize
512KB
MD5a0cb4d0c5c003272e8c58c4e7580f01c
SHA1429d9b7291eba112e63521e620322832807ef04e
SHA256025d75e708cf74241c722b0229c85f16373d5c392a948126cbcac0eb6098e50f
SHA5120bcfa0e0d5549f2d65bde0c9f588b42f5c5c7816fbd372219f959d71aaaef3c517172636562042cd6d6f50c29fc5cc6a260cdb171150c6e95ba7855f203a0879
-
Filesize
512KB
MD512fbfc83df548efc4b8dbd24ab55885b
SHA1c3cae485461fd12e15a06bfdd0a01a27752a873a
SHA2561b98d677091cf438a54bbbdfd139a3d1e5c5cbaa67fde9b24dfbeca4d1a118f9
SHA512f9c39dff897e5625da19e6abf37e983f30f81a5c10c4f4daffe6688507c9171d87d2e4af76c67040f63efbe2a329c45d69c15c6578171bf6205de7b905a5a7c0
-
Filesize
512KB
MD57ed3d9b77c1f1475b67a73a2db404a44
SHA107ec1372aad74c271860c1a0e624df8d48c9ea10
SHA2561ded76b288072ca1ef58dde357d48a5db70253feb098d9e67e281cbe9ae47977
SHA5122206e1638a0f27c016ddfc71dc9f5c6395f2a73b065bb211c114db220252107d308c2bccf329cceedc3e8eecfc131c5522be701e8b8c3b611054028a86bc32e2
-
Filesize
512KB
MD5ec8ee11b5abf9c5cef77cd5243a8806a
SHA1aae9f19b3547768e43423fcac9d691cfae3be5c4
SHA25682ee5a0be1c74463ca70b31155b6f1cf52f1ede3a786b681d86c0fc6ad91af72
SHA51206767d66bd7a7e72e3d21cc9bae7e17b2d9f2d46243cef48fb67223f4395143bf10ffe324d54e2a55d72d76b4c21854d5af753e56dddf720eb405ca3cf8a2522
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5616d823ceccd35314a6b6271796a9e33
SHA1447af4f86b43a2094b16a72567b5b89aebfb4dae
SHA2566613d5d74c691f46a79e90368b241bb41ebde9840c1afc889d6594e338d6268b
SHA51205fccb0fb5ffe2b17d63b752e8d8b4e3e70a8043bad4cde809f1804d5df5227f74b5effb527a8228c8445a6030ebff65e733de3a9c6d4d3ae69b34977272f0b4
-
Filesize
512KB
MD58c4f90589349b12587d500b7c6f4f1e4
SHA15144b06e3ce76cc56aff83e3bc4a98aa10451e52
SHA256309621cae884025ea47b30d77c3a24ea1d284518be9b10a3125f653aaa87b2c2
SHA5127a8ab22d3d850baa7be14d34ed05db0eee2a7ab0de42585d02d8c4667197fda03c49f1a2c4f9d77cd7cd3db20cc34180e57b7833438aa2d44dd745d0397122e6