Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 23:52
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe
-
Size
512KB
-
MD5
eeae49ada7ea91c10c6b3ad8c17efb23
-
SHA1
8dc8ca1ba225cc9a0bffea5ca78a63cf901f7f6d
-
SHA256
37d85a211b7bbf2ede2fe15c557146b0fa2db301c053dfd3817534a8b677d9ab
-
SHA512
b68e8c46428b39f38abad31bec82c82334d94c6329437542a7727ee2133573816db3cd80d897454bbe0118379e2d781ad7b994527dbf8858417cdb4909bd20a2
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6c:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5R
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" haiypnhjhg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" haiypnhjhg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" haiypnhjhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" haiypnhjhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" haiypnhjhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" haiypnhjhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" haiypnhjhg.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" haiypnhjhg.exe -
Executes dropped EXE 5 IoCs
pid Process 2660 haiypnhjhg.exe 2060 pmjwyhcefzqoswr.exe 2068 vvcufoii.exe 2484 wbimgjrxrgnte.exe 2704 vvcufoii.exe -
Loads dropped DLL 5 IoCs
pid Process 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2660 haiypnhjhg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" haiypnhjhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" haiypnhjhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" haiypnhjhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" haiypnhjhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" haiypnhjhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" haiypnhjhg.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wbimgjrxrgnte.exe" pmjwyhcefzqoswr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xsvrshys = "haiypnhjhg.exe" pmjwyhcefzqoswr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bwkuertq = "pmjwyhcefzqoswr.exe" pmjwyhcefzqoswr.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: vvcufoii.exe File opened (read-only) \??\i: vvcufoii.exe File opened (read-only) \??\w: haiypnhjhg.exe File opened (read-only) \??\t: haiypnhjhg.exe File opened (read-only) \??\x: haiypnhjhg.exe File opened (read-only) \??\o: vvcufoii.exe File opened (read-only) \??\g: vvcufoii.exe File opened (read-only) \??\v: vvcufoii.exe File opened (read-only) \??\x: vvcufoii.exe File opened (read-only) \??\w: vvcufoii.exe File opened (read-only) \??\h: haiypnhjhg.exe File opened (read-only) \??\i: haiypnhjhg.exe File opened (read-only) \??\b: haiypnhjhg.exe File opened (read-only) \??\t: vvcufoii.exe File opened (read-only) \??\x: vvcufoii.exe File opened (read-only) \??\q: vvcufoii.exe File opened (read-only) \??\y: vvcufoii.exe File opened (read-only) \??\g: vvcufoii.exe File opened (read-only) \??\l: vvcufoii.exe File opened (read-only) \??\a: haiypnhjhg.exe File opened (read-only) \??\g: haiypnhjhg.exe File opened (read-only) \??\q: haiypnhjhg.exe File opened (read-only) \??\j: vvcufoii.exe File opened (read-only) \??\k: vvcufoii.exe File opened (read-only) \??\a: vvcufoii.exe File opened (read-only) \??\s: vvcufoii.exe File opened (read-only) \??\o: haiypnhjhg.exe File opened (read-only) \??\r: haiypnhjhg.exe File opened (read-only) \??\o: vvcufoii.exe File opened (read-only) \??\z: vvcufoii.exe File opened (read-only) \??\e: vvcufoii.exe File opened (read-only) \??\u: haiypnhjhg.exe File opened (read-only) \??\m: vvcufoii.exe File opened (read-only) \??\p: vvcufoii.exe File opened (read-only) \??\u: vvcufoii.exe File opened (read-only) \??\j: haiypnhjhg.exe File opened (read-only) \??\u: vvcufoii.exe File opened (read-only) \??\n: haiypnhjhg.exe File opened (read-only) \??\y: haiypnhjhg.exe File opened (read-only) \??\e: vvcufoii.exe File opened (read-only) \??\h: vvcufoii.exe File opened (read-only) \??\p: vvcufoii.exe File opened (read-only) \??\k: vvcufoii.exe File opened (read-only) \??\n: vvcufoii.exe File opened (read-only) \??\s: vvcufoii.exe File opened (read-only) \??\i: vvcufoii.exe File opened (read-only) \??\n: vvcufoii.exe File opened (read-only) \??\w: vvcufoii.exe File opened (read-only) \??\q: vvcufoii.exe File opened (read-only) \??\z: vvcufoii.exe File opened (read-only) \??\l: haiypnhjhg.exe File opened (read-only) \??\m: haiypnhjhg.exe File opened (read-only) \??\p: haiypnhjhg.exe File opened (read-only) \??\s: haiypnhjhg.exe File opened (read-only) \??\v: haiypnhjhg.exe File opened (read-only) \??\z: haiypnhjhg.exe File opened (read-only) \??\m: vvcufoii.exe File opened (read-only) \??\r: vvcufoii.exe File opened (read-only) \??\b: vvcufoii.exe File opened (read-only) \??\e: haiypnhjhg.exe File opened (read-only) \??\y: vvcufoii.exe File opened (read-only) \??\l: vvcufoii.exe File opened (read-only) \??\t: vvcufoii.exe File opened (read-only) \??\h: vvcufoii.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" haiypnhjhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" haiypnhjhg.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2248-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000f000000018683-5.dat autoit_exe behavioral1/files/0x000a0000000120d6-17.dat autoit_exe behavioral1/files/0x0006000000018697-25.dat autoit_exe behavioral1/files/0x0007000000018706-38.dat autoit_exe behavioral1/files/0x0009000000017570-62.dat autoit_exe behavioral1/files/0x0008000000018d83-68.dat autoit_exe behavioral1/files/0x0005000000019426-84.dat autoit_exe behavioral1/files/0x00050000000193f9-82.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\pmjwyhcefzqoswr.exe eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe File created C:\Windows\SysWOW64\vvcufoii.exe eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe File created C:\Windows\SysWOW64\wbimgjrxrgnte.exe eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vvcufoii.exe eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wbimgjrxrgnte.exe eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll haiypnhjhg.exe File created C:\Windows\SysWOW64\haiypnhjhg.exe eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\haiypnhjhg.exe eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pmjwyhcefzqoswr.exe eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe -
Drops file in Program Files directory 28 IoCs
description ioc Process File opened for modification \??\c:\Program Files\CompareHide.doc.exe vvcufoii.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe vvcufoii.exe File opened for modification C:\Program Files\CompareHide.doc.exe vvcufoii.exe File opened for modification C:\Program Files\ExitRequest.doc.exe vvcufoii.exe File created \??\c:\Program Files\CompareHide.doc.exe vvcufoii.exe File opened for modification C:\Program Files\ExitRequest.nal vvcufoii.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe vvcufoii.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe vvcufoii.exe File opened for modification \??\c:\Program Files\CompareHide.doc.exe vvcufoii.exe File opened for modification C:\Program Files\CompareHide.nal vvcufoii.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe vvcufoii.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal vvcufoii.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe vvcufoii.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal vvcufoii.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe vvcufoii.exe File opened for modification C:\Program Files\CompareHide.nal vvcufoii.exe File created \??\c:\Program Files\ExitRequest.doc.exe vvcufoii.exe File opened for modification C:\Program Files\ExitRequest.nal vvcufoii.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe vvcufoii.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal vvcufoii.exe File opened for modification C:\Program Files\CompareHide.doc.exe vvcufoii.exe File opened for modification \??\c:\Program Files\ExitRequest.doc.exe vvcufoii.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe vvcufoii.exe File opened for modification C:\Program Files\ExitRequest.doc.exe vvcufoii.exe File opened for modification \??\c:\Program Files\ExitRequest.doc.exe vvcufoii.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe vvcufoii.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe vvcufoii.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal vvcufoii.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haiypnhjhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pmjwyhcefzqoswr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvcufoii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wbimgjrxrgnte.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvcufoii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs haiypnhjhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B02C4794389853C8BADD329CD7CF" eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" haiypnhjhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" haiypnhjhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf haiypnhjhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" haiypnhjhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" haiypnhjhg.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322C799C2082566D4576A5702E2CAD7D8664DE" eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08668B6FF1D22DAD173D0A68B099010" eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1839C70F1596DBBEB8C17FE6ECE537C8" eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" haiypnhjhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFFFC4829851C9146D72D7E97BCE5E630594067326243D791" eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat haiypnhjhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh haiypnhjhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc haiypnhjhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg haiypnhjhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5FAB9F967F2E784793B3286983994B08903FE42690349E2CD45E709A8" eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" haiypnhjhg.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2300 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2484 wbimgjrxrgnte.exe 2484 wbimgjrxrgnte.exe 2484 wbimgjrxrgnte.exe 2484 wbimgjrxrgnte.exe 2484 wbimgjrxrgnte.exe 2484 wbimgjrxrgnte.exe 2060 pmjwyhcefzqoswr.exe 2060 pmjwyhcefzqoswr.exe 2060 pmjwyhcefzqoswr.exe 2060 pmjwyhcefzqoswr.exe 2060 pmjwyhcefzqoswr.exe 2068 vvcufoii.exe 2068 vvcufoii.exe 2068 vvcufoii.exe 2068 vvcufoii.exe 2660 haiypnhjhg.exe 2660 haiypnhjhg.exe 2660 haiypnhjhg.exe 2660 haiypnhjhg.exe 2660 haiypnhjhg.exe 2704 vvcufoii.exe 2704 vvcufoii.exe 2704 vvcufoii.exe 2704 vvcufoii.exe 2060 pmjwyhcefzqoswr.exe 2484 wbimgjrxrgnte.exe 2484 wbimgjrxrgnte.exe 2060 pmjwyhcefzqoswr.exe 2060 pmjwyhcefzqoswr.exe 2484 wbimgjrxrgnte.exe 2484 wbimgjrxrgnte.exe 2484 wbimgjrxrgnte.exe 2484 wbimgjrxrgnte.exe 2060 pmjwyhcefzqoswr.exe 2060 pmjwyhcefzqoswr.exe 2484 wbimgjrxrgnte.exe 2484 wbimgjrxrgnte.exe 2484 wbimgjrxrgnte.exe 2484 wbimgjrxrgnte.exe 2060 pmjwyhcefzqoswr.exe 2484 wbimgjrxrgnte.exe 2484 wbimgjrxrgnte.exe 2060 pmjwyhcefzqoswr.exe 2484 wbimgjrxrgnte.exe 2484 wbimgjrxrgnte.exe 2060 pmjwyhcefzqoswr.exe 2484 wbimgjrxrgnte.exe 2484 wbimgjrxrgnte.exe 2060 pmjwyhcefzqoswr.exe 2060 pmjwyhcefzqoswr.exe 2484 wbimgjrxrgnte.exe 2484 wbimgjrxrgnte.exe 2484 wbimgjrxrgnte.exe 2484 wbimgjrxrgnte.exe 2060 pmjwyhcefzqoswr.exe 2060 pmjwyhcefzqoswr.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2660 haiypnhjhg.exe 2060 pmjwyhcefzqoswr.exe 2068 vvcufoii.exe 2484 wbimgjrxrgnte.exe 2660 haiypnhjhg.exe 2060 pmjwyhcefzqoswr.exe 2068 vvcufoii.exe 2484 wbimgjrxrgnte.exe 2660 haiypnhjhg.exe 2060 pmjwyhcefzqoswr.exe 2068 vvcufoii.exe 2484 wbimgjrxrgnte.exe 2704 vvcufoii.exe 2704 vvcufoii.exe 2704 vvcufoii.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2660 haiypnhjhg.exe 2060 pmjwyhcefzqoswr.exe 2068 vvcufoii.exe 2484 wbimgjrxrgnte.exe 2660 haiypnhjhg.exe 2060 pmjwyhcefzqoswr.exe 2068 vvcufoii.exe 2484 wbimgjrxrgnte.exe 2660 haiypnhjhg.exe 2060 pmjwyhcefzqoswr.exe 2068 vvcufoii.exe 2484 wbimgjrxrgnte.exe 2704 vvcufoii.exe 2704 vvcufoii.exe 2704 vvcufoii.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2300 WINWORD.EXE 2300 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2660 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 30 PID 2248 wrote to memory of 2660 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 30 PID 2248 wrote to memory of 2660 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 30 PID 2248 wrote to memory of 2660 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 30 PID 2248 wrote to memory of 2060 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 31 PID 2248 wrote to memory of 2060 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 31 PID 2248 wrote to memory of 2060 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 31 PID 2248 wrote to memory of 2060 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 31 PID 2248 wrote to memory of 2068 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 32 PID 2248 wrote to memory of 2068 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 32 PID 2248 wrote to memory of 2068 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 32 PID 2248 wrote to memory of 2068 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 32 PID 2248 wrote to memory of 2484 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 33 PID 2248 wrote to memory of 2484 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 33 PID 2248 wrote to memory of 2484 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 33 PID 2248 wrote to memory of 2484 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 33 PID 2248 wrote to memory of 2300 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 34 PID 2248 wrote to memory of 2300 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 34 PID 2248 wrote to memory of 2300 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 34 PID 2248 wrote to memory of 2300 2248 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 34 PID 2660 wrote to memory of 2704 2660 haiypnhjhg.exe 35 PID 2660 wrote to memory of 2704 2660 haiypnhjhg.exe 35 PID 2660 wrote to memory of 2704 2660 haiypnhjhg.exe 35 PID 2660 wrote to memory of 2704 2660 haiypnhjhg.exe 35 PID 2300 wrote to memory of 316 2300 WINWORD.EXE 38 PID 2300 wrote to memory of 316 2300 WINWORD.EXE 38 PID 2300 wrote to memory of 316 2300 WINWORD.EXE 38 PID 2300 wrote to memory of 316 2300 WINWORD.EXE 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\haiypnhjhg.exehaiypnhjhg.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\vvcufoii.exeC:\Windows\system32\vvcufoii.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2704
-
-
-
C:\Windows\SysWOW64\pmjwyhcefzqoswr.exepmjwyhcefzqoswr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2060
-
-
C:\Windows\SysWOW64\vvcufoii.exevvcufoii.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2068
-
-
C:\Windows\SysWOW64\wbimgjrxrgnte.exewbimgjrxrgnte.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2484
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:316
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5f1012a0508b1c2758e93c6450bc34282
SHA19e3938a1fd451d9be1c4b816161c0ae3bebf3e83
SHA256aec7e873a262eceaf58119d23c545c6d2ac0f148751ec017340b9c8e3468213e
SHA512f3b011306a4dc802c317cf04208404e14fe2f2e419eadbd286b132d6ae31f3987278e762044bdb95ca98573149d25e8c1a962a2cc5d4453ed4bf7efb10712a2a
-
Filesize
512KB
MD54091e90a442ee8c6a61305fec3a34199
SHA1755b232b95f2b6f534c32de3c40f46101f01c990
SHA2565cc82ba9adac78a72f0c6033a5dd75e35f6234df18dadbe962d91c2a77856c87
SHA51270c9003d057087d19ca91a65c66997c9464778a42a76daf25f5c5ff7bdc166923f370d59063e030b716a2e6b4deac17ddd47d899718303d36ee1dc1cb0daffe5
-
Filesize
512KB
MD56114544c1745c2eed7dd8157b42ba943
SHA1b3bf94a1630aba51b72b0b45b12f750999836575
SHA256635a08fb4073175f9fe9aae07100e3f82c1200f599f08f25295dce35d7346a4f
SHA5124c2c9aa517ffe4e50003f96b452e965e7e5bbda227f03f48021fa56450cd1c914da3a87105ad568f9daec03460c2ed382e93798804e03ac3c1eeb22236d03b49
-
Filesize
512KB
MD5e4a4f2ff877acdb6f4acb0bd1816bac6
SHA17354b41616b374295fd73a5b552b6e751e0ff15e
SHA25663485641edd67d1ba96d82ae072c0988f2a5e697cc22eec34683e925a036c20c
SHA51216853c16e8e2f8ad5047e1e965d39e1559a567ac41b23c147b8c3b890a8a1692d3437917eba400427cd7bd7663e5dae57092007f7f5414dc10547a427e8bd57e
-
Filesize
19KB
MD5c7db97155262a8cdf878f6c56f64df28
SHA1d57cc96d5c1559f0facca2ccd75a83c0a13970d7
SHA256e92bcbc6b76c1fa6cee875e2902966a84e6bf4880cd2ade9e5e16dcc68f6c974
SHA512f3167460f54b644b0f57dfd1741bcc88ec2288717e9b032d2c4c8796feb4b5c03dfe2b09b87ac3a18f6a5ccd9686b6bb3293419ec6060ea1246ac13562eb01f2
-
Filesize
512KB
MD50594770392a6c228ffb26f20cc02b378
SHA155c16ec69e126f8e63a38366187e5020acb36815
SHA2565ecee3883fe4514595a2b8a863bdef4ef9619ac0a4fc708cc1ab5522a01aac16
SHA512d46826ccc2db807cdae64d7e2a93cee14c1ae46851ea596bad3b1715f7644c6a654fa5ac4d28fe3b34110aa453887c20ea0d31ec2c8727df66eeff89ed4f7ef9
-
Filesize
512KB
MD5daa8dfa74ab53149e649c171c451ee6b
SHA18cf963cb20661ea01953d103814006036567f093
SHA2569b9d4aec69425c0f14e42ec9631165ac137e72184aae66fff644a0492e343486
SHA51218d098acc105732d79f0f2dcd74267e5bec51cbf00b2bff05d36f3b8fb16ed2f1e094b9d3da37d7278ecde30dbe962c50944e5035071b1f6a659590da6e76351
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD556cb08f881060c14caee4ba3f110f430
SHA13a99320664ff6de914f59277d75d93da10e1e4ec
SHA256c7bd36c8cb74092ba87b4cc1b39770e71f1bb765f1ffec493457a8921a83812f
SHA512158fe7cd9276a4f32f3a6e88c0a668616babcbaa4caab54a5ac04a8c427d8c0b0bfcc055f3150e9fb5dfcecfe397c970126223270e305bd2abfb2fddc10e5cae
-
Filesize
512KB
MD5ba0f066e3202f4145fbf3fe47dc9aa94
SHA11c0e676586e038fff52af3977bb34e98dcb41527
SHA256cace5276540498910a788bc77c7f7f9404fd402adabb158066feca96bf97ded8
SHA512130eae0cd98049e19e28f561ddc562ea4174a2c858d5f035063537b933a4865a0a68583c8f1a06caa4a7e467c1a03e81b0d44dedea6287cc85892c4cbb1751ba