Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 23:28
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
25 signatures
150 seconds
General
-
Target
eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe
-
Size
512KB
-
MD5
eea3ff7a3533c37bb102a18ae801d651
-
SHA1
cd34b8cf0cc866cfd702bca069ae03782f7390e9
-
SHA256
124eb5af22ea3cd9780ab256cfaa916c999a232ec49a31aae5c88fa0d889694c
-
SHA512
14654258f230de1a13f37d1f8c02eeda3a58a6800ab5983093938b8d38c3e869cede1d662779080204cf634e58dc766c76d0d4663d93f4e4a6c04b07a5374ff3
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj68:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" pfdyswgpsg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pfdyswgpsg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pfdyswgpsg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pfdyswgpsg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pfdyswgpsg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pfdyswgpsg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" pfdyswgpsg.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pfdyswgpsg.exe -
Executes dropped EXE 5 IoCs
pid Process 2712 pfdyswgpsg.exe 2756 vwtyckcahqmcvdl.exe 2764 xdoleoze.exe 2760 raqrreeqaguzf.exe 2624 xdoleoze.exe -
Loads dropped DLL 5 IoCs
pid Process 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2712 pfdyswgpsg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pfdyswgpsg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" pfdyswgpsg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pfdyswgpsg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pfdyswgpsg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pfdyswgpsg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" pfdyswgpsg.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kstreden = "pfdyswgpsg.exe" vwtyckcahqmcvdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\delcvoak = "vwtyckcahqmcvdl.exe" vwtyckcahqmcvdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "raqrreeqaguzf.exe" vwtyckcahqmcvdl.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\x: pfdyswgpsg.exe File opened (read-only) \??\k: xdoleoze.exe File opened (read-only) \??\a: pfdyswgpsg.exe File opened (read-only) \??\e: pfdyswgpsg.exe File opened (read-only) \??\k: pfdyswgpsg.exe File opened (read-only) \??\m: pfdyswgpsg.exe File opened (read-only) \??\v: pfdyswgpsg.exe File opened (read-only) \??\m: xdoleoze.exe File opened (read-only) \??\w: xdoleoze.exe File opened (read-only) \??\w: pfdyswgpsg.exe File opened (read-only) \??\b: xdoleoze.exe File opened (read-only) \??\h: pfdyswgpsg.exe File opened (read-only) \??\u: pfdyswgpsg.exe File opened (read-only) \??\e: xdoleoze.exe File opened (read-only) \??\k: xdoleoze.exe File opened (read-only) \??\t: xdoleoze.exe File opened (read-only) \??\p: pfdyswgpsg.exe File opened (read-only) \??\z: pfdyswgpsg.exe File opened (read-only) \??\r: pfdyswgpsg.exe File opened (read-only) \??\l: xdoleoze.exe File opened (read-only) \??\m: xdoleoze.exe File opened (read-only) \??\n: xdoleoze.exe File opened (read-only) \??\i: xdoleoze.exe File opened (read-only) \??\n: pfdyswgpsg.exe File opened (read-only) \??\v: xdoleoze.exe File opened (read-only) \??\y: xdoleoze.exe File opened (read-only) \??\j: xdoleoze.exe File opened (read-only) \??\b: pfdyswgpsg.exe File opened (read-only) \??\b: xdoleoze.exe File opened (read-only) \??\r: xdoleoze.exe File opened (read-only) \??\w: xdoleoze.exe File opened (read-only) \??\r: xdoleoze.exe File opened (read-only) \??\s: xdoleoze.exe File opened (read-only) \??\z: xdoleoze.exe File opened (read-only) \??\i: pfdyswgpsg.exe File opened (read-only) \??\i: xdoleoze.exe File opened (read-only) \??\h: xdoleoze.exe File opened (read-only) \??\q: xdoleoze.exe File opened (read-only) \??\g: pfdyswgpsg.exe File opened (read-only) \??\e: xdoleoze.exe File opened (read-only) \??\a: xdoleoze.exe File opened (read-only) \??\q: xdoleoze.exe File opened (read-only) \??\u: xdoleoze.exe File opened (read-only) \??\l: xdoleoze.exe File opened (read-only) \??\q: pfdyswgpsg.exe File opened (read-only) \??\s: pfdyswgpsg.exe File opened (read-only) \??\t: pfdyswgpsg.exe File opened (read-only) \??\s: xdoleoze.exe File opened (read-only) \??\h: xdoleoze.exe File opened (read-only) \??\g: xdoleoze.exe File opened (read-only) \??\v: xdoleoze.exe File opened (read-only) \??\x: xdoleoze.exe File opened (read-only) \??\o: pfdyswgpsg.exe File opened (read-only) \??\g: xdoleoze.exe File opened (read-only) \??\u: xdoleoze.exe File opened (read-only) \??\j: pfdyswgpsg.exe File opened (read-only) \??\o: xdoleoze.exe File opened (read-only) \??\p: xdoleoze.exe File opened (read-only) \??\x: xdoleoze.exe File opened (read-only) \??\z: xdoleoze.exe File opened (read-only) \??\a: xdoleoze.exe File opened (read-only) \??\l: pfdyswgpsg.exe File opened (read-only) \??\y: pfdyswgpsg.exe File opened (read-only) \??\j: xdoleoze.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" pfdyswgpsg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" pfdyswgpsg.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2308-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0009000000016d5a-9.dat autoit_exe behavioral1/files/0x00090000000120f9-17.dat autoit_exe behavioral1/files/0x0008000000016d49-24.dat autoit_exe behavioral1/files/0x0008000000016d71-38.dat autoit_exe behavioral1/files/0x0007000000017349-67.dat autoit_exe behavioral1/files/0x0009000000017355-72.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\raqrreeqaguzf.exe eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe File created C:\Windows\SysWOW64\pfdyswgpsg.exe eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe File created C:\Windows\SysWOW64\vwtyckcahqmcvdl.exe eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vwtyckcahqmcvdl.exe eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe File created C:\Windows\SysWOW64\raqrreeqaguzf.exe eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll pfdyswgpsg.exe File opened for modification C:\Windows\SysWOW64\pfdyswgpsg.exe eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe File created C:\Windows\SysWOW64\xdoleoze.exe eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xdoleoze.exe eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe xdoleoze.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe xdoleoze.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe xdoleoze.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe xdoleoze.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe xdoleoze.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe xdoleoze.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe xdoleoze.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal xdoleoze.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe xdoleoze.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe xdoleoze.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal xdoleoze.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal xdoleoze.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal xdoleoze.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe xdoleoze.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vwtyckcahqmcvdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdoleoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language raqrreeqaguzf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdoleoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pfdyswgpsg.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAF9CAFE10F29083083B4A86983990B0FE038A4365033AE2C8429D08A6" eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat pfdyswgpsg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs pfdyswgpsg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf pfdyswgpsg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" pfdyswgpsg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" pfdyswgpsg.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432C7E9C2D82566D3F77D770212DDE7CF664DE" eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78368B6FF1B22DAD20CD0D18A7C9164" eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" pfdyswgpsg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" pfdyswgpsg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C6741597DAC3B9B97C90ED9F34BB" eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg pfdyswgpsg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" pfdyswgpsg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC3B12E47E139EE53CBBADD339FD7B8" eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F88FFF94F5882139041D75B7D90BC97E133594066426234D7E9" eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh pfdyswgpsg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc pfdyswgpsg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" pfdyswgpsg.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3036 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2756 vwtyckcahqmcvdl.exe 2756 vwtyckcahqmcvdl.exe 2756 vwtyckcahqmcvdl.exe 2756 vwtyckcahqmcvdl.exe 2756 vwtyckcahqmcvdl.exe 2764 xdoleoze.exe 2764 xdoleoze.exe 2764 xdoleoze.exe 2764 xdoleoze.exe 2760 raqrreeqaguzf.exe 2760 raqrreeqaguzf.exe 2760 raqrreeqaguzf.exe 2760 raqrreeqaguzf.exe 2760 raqrreeqaguzf.exe 2760 raqrreeqaguzf.exe 2712 pfdyswgpsg.exe 2712 pfdyswgpsg.exe 2712 pfdyswgpsg.exe 2712 pfdyswgpsg.exe 2712 pfdyswgpsg.exe 2624 xdoleoze.exe 2624 xdoleoze.exe 2624 xdoleoze.exe 2624 xdoleoze.exe 2756 vwtyckcahqmcvdl.exe 2760 raqrreeqaguzf.exe 2760 raqrreeqaguzf.exe 2756 vwtyckcahqmcvdl.exe 2756 vwtyckcahqmcvdl.exe 2760 raqrreeqaguzf.exe 2760 raqrreeqaguzf.exe 2756 vwtyckcahqmcvdl.exe 2760 raqrreeqaguzf.exe 2760 raqrreeqaguzf.exe 2756 vwtyckcahqmcvdl.exe 2760 raqrreeqaguzf.exe 2760 raqrreeqaguzf.exe 2756 vwtyckcahqmcvdl.exe 2760 raqrreeqaguzf.exe 2760 raqrreeqaguzf.exe 2756 vwtyckcahqmcvdl.exe 2760 raqrreeqaguzf.exe 2760 raqrreeqaguzf.exe 2756 vwtyckcahqmcvdl.exe 2760 raqrreeqaguzf.exe 2760 raqrreeqaguzf.exe 2756 vwtyckcahqmcvdl.exe 2760 raqrreeqaguzf.exe 2760 raqrreeqaguzf.exe 2756 vwtyckcahqmcvdl.exe 2760 raqrreeqaguzf.exe 2760 raqrreeqaguzf.exe 2756 vwtyckcahqmcvdl.exe 2760 raqrreeqaguzf.exe 2760 raqrreeqaguzf.exe 2756 vwtyckcahqmcvdl.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2756 vwtyckcahqmcvdl.exe 2712 pfdyswgpsg.exe 2712 pfdyswgpsg.exe 2712 pfdyswgpsg.exe 2756 vwtyckcahqmcvdl.exe 2756 vwtyckcahqmcvdl.exe 2764 xdoleoze.exe 2764 xdoleoze.exe 2764 xdoleoze.exe 2760 raqrreeqaguzf.exe 2760 raqrreeqaguzf.exe 2760 raqrreeqaguzf.exe 2624 xdoleoze.exe 2624 xdoleoze.exe 2624 xdoleoze.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2756 vwtyckcahqmcvdl.exe 2712 pfdyswgpsg.exe 2712 pfdyswgpsg.exe 2712 pfdyswgpsg.exe 2756 vwtyckcahqmcvdl.exe 2756 vwtyckcahqmcvdl.exe 2764 xdoleoze.exe 2764 xdoleoze.exe 2764 xdoleoze.exe 2760 raqrreeqaguzf.exe 2760 raqrreeqaguzf.exe 2760 raqrreeqaguzf.exe 2624 xdoleoze.exe 2624 xdoleoze.exe 2624 xdoleoze.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3036 WINWORD.EXE 3036 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2712 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2712 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2712 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2712 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2756 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 32 PID 2308 wrote to memory of 2756 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 32 PID 2308 wrote to memory of 2756 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 32 PID 2308 wrote to memory of 2756 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 32 PID 2308 wrote to memory of 2764 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 33 PID 2308 wrote to memory of 2764 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 33 PID 2308 wrote to memory of 2764 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 33 PID 2308 wrote to memory of 2764 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 33 PID 2308 wrote to memory of 2760 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 34 PID 2308 wrote to memory of 2760 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 34 PID 2308 wrote to memory of 2760 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 34 PID 2308 wrote to memory of 2760 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 34 PID 2712 wrote to memory of 2624 2712 pfdyswgpsg.exe 35 PID 2712 wrote to memory of 2624 2712 pfdyswgpsg.exe 35 PID 2712 wrote to memory of 2624 2712 pfdyswgpsg.exe 35 PID 2712 wrote to memory of 2624 2712 pfdyswgpsg.exe 35 PID 2308 wrote to memory of 3036 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 36 PID 2308 wrote to memory of 3036 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 36 PID 2308 wrote to memory of 3036 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 36 PID 2308 wrote to memory of 3036 2308 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 36 PID 3036 wrote to memory of 1320 3036 WINWORD.EXE 38 PID 3036 wrote to memory of 1320 3036 WINWORD.EXE 38 PID 3036 wrote to memory of 1320 3036 WINWORD.EXE 38 PID 3036 wrote to memory of 1320 3036 WINWORD.EXE 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\pfdyswgpsg.exepfdyswgpsg.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\xdoleoze.exeC:\Windows\system32\xdoleoze.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2624
-
-
-
C:\Windows\SysWOW64\vwtyckcahqmcvdl.exevwtyckcahqmcvdl.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2756
-
-
C:\Windows\SysWOW64\xdoleoze.exexdoleoze.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2764
-
-
C:\Windows\SysWOW64\raqrreeqaguzf.exeraqrreeqaguzf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2760
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1320
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5b428c11240a2f519301e5f4f5c057c77
SHA14b95c97d0b7d43dcb35c021628cb44aa20ff2270
SHA256aa5980d5ab787e1d31ca358f00289c55276e553cd36e83538fc5917e77d4e171
SHA5120d70e26b62b8df1c50253f4e1102f73ad472e459a7c7f6a3e7a85e1cb95e6c395970f3996fb7df03b1091d20ecaaf369660cb9c2397d42009b6c6667cc477a69
-
Filesize
512KB
MD5764b41e8ac43d06387ec928ef3d8b1f2
SHA19506f383070dc7fe2197c44c306ebdd6daf22157
SHA2567c04b4880d510351ec8213178cf97e3d043a7f777318c716a5b1b672c4e57928
SHA512e589d933f02248cb8c3fc1e172ad5af5a8cbd27cc98aea7db9f0e0526ed4599782b1f6cd7db44427f7d9377eb1538bd719842c860db262c6ecab2444583d1cc5
-
Filesize
19KB
MD5cfc1f523d4b306a37f9969750048f5c4
SHA1abe3e57df37eadb68be08ef2859b5d89ff49be3a
SHA256ecce54e4c01ef2185c67e5fad668703e97ac8f23f0cbc54b0dfddb2b1097de04
SHA51297ec992036ddae079f737d7d6fa951ee0a43f0b3e3d77ecb420131607a133453a746d4879170bc5bc6e95bc3875d0bfb57de786dd3562e6e6ddb9c66d9cf3857
-
Filesize
512KB
MD5577defb265699b63843dfa943b774aa0
SHA19e062dd884b01f8fd2eb5e0ad9a9be568cc3d384
SHA25691ae37e507757fe85e2abe14e6f965096200b0eec348d06fb0bf89c96fba15b2
SHA512ef76ac1fc5b2349db2e25d0e891ba9743261d853caab8339d290d09d6ba03379fffc11cf7683c6024f1f3e892757df8d66d3bb962d51ce1aca6c85d7c7ec237d
-
Filesize
512KB
MD579a4a0d11db247f1723cac1a123bfbe1
SHA1ac10a155a8b5af2b186d708353b783e6b2d85974
SHA256ad96c877da2b626ccfd3aac0a38015a37d5346227c2ddd00773d5a0981e3347c
SHA512055063cf5187fea1d815df0397d12f16cac66d42472dc30a12c609bc6a95b02ab2530f37e735cfb29ec28fc7bfb6123fdc4b279f6a350d163aca185f25ba65db
-
Filesize
512KB
MD52d58693bf88acdeeda5240d6ea7da56f
SHA1ff6d82c52e418738ea5f4cdb5cc2836fedc9dbd8
SHA2561dea8e40d542601a4e60729cc8b526ea7d43806b411336db520fdb3059636cda
SHA51264e8d92a7bf48d73fbb1c7ad8e950193cd496561e21fe1f7b86e03b93c48adc2b677dc22d1bcab8ef708c400ee38c0333f04c3a2edfebb20c0a4378c948f6ba8
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5b6eafad6ac2475fd3421c979be087d01
SHA19db693b35a18faf09904c05bc1ffd6f998932a2e
SHA25621918d4ed883f3cdf2818ec17c5dc89761a1a08ae0ef8b9e9163bbc4b4a1dc84
SHA5125144ecaef006226ec90d4187b6d6d27cb9e5d9a800cae9c1fc60b01c256b1c16a8d3dc9dc834e38363e841df86e4e2cdc90b304a71fd3a251e80345cf3cc108b