Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/09/2024, 08:53
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
fa194653ada608d5c37145813acd5715_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
fa194653ada608d5c37145813acd5715_JaffaCakes118.exe
-
Size
512KB
-
MD5
fa194653ada608d5c37145813acd5715
-
SHA1
7992964158202ed0a5a68cf970f8a8619dfaa87c
-
SHA256
08c3c75b93f5ff45351e8f2ba9f4af4d7b13cb65093128065c08ed53933dc564
-
SHA512
ce1a0974ff4f009a3fd5cd0bf3907a3fa2e5e6a81af13ba39486f489868ca65412ed064b383bcf6a853e93d98d490fcae3e9f008513e38e47e795761658a3928
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6w:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5D
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" halmfbxysu.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" halmfbxysu.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" halmfbxysu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" halmfbxysu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" halmfbxysu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" halmfbxysu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" halmfbxysu.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" halmfbxysu.exe -
Executes dropped EXE 5 IoCs
pid Process 3012 halmfbxysu.exe 2800 mtktluujjybkbhn.exe 3044 lkmyeegw.exe 2724 vpzddyufbneou.exe 3064 lkmyeegw.exe -
Loads dropped DLL 5 IoCs
pid Process 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 3012 halmfbxysu.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" halmfbxysu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" halmfbxysu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" halmfbxysu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" halmfbxysu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" halmfbxysu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" halmfbxysu.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xabwhvrj = "halmfbxysu.exe" mtktluujjybkbhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kyrgxepg = "mtktluujjybkbhn.exe" mtktluujjybkbhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vpzddyufbneou.exe" mtktluujjybkbhn.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: halmfbxysu.exe File opened (read-only) \??\l: lkmyeegw.exe File opened (read-only) \??\w: lkmyeegw.exe File opened (read-only) \??\y: lkmyeegw.exe File opened (read-only) \??\k: lkmyeegw.exe File opened (read-only) \??\n: halmfbxysu.exe File opened (read-only) \??\u: lkmyeegw.exe File opened (read-only) \??\a: lkmyeegw.exe File opened (read-only) \??\x: halmfbxysu.exe File opened (read-only) \??\h: lkmyeegw.exe File opened (read-only) \??\i: lkmyeegw.exe File opened (read-only) \??\l: lkmyeegw.exe File opened (read-only) \??\h: halmfbxysu.exe File opened (read-only) \??\m: lkmyeegw.exe File opened (read-only) \??\p: lkmyeegw.exe File opened (read-only) \??\r: lkmyeegw.exe File opened (read-only) \??\b: lkmyeegw.exe File opened (read-only) \??\a: halmfbxysu.exe File opened (read-only) \??\k: halmfbxysu.exe File opened (read-only) \??\s: lkmyeegw.exe File opened (read-only) \??\g: lkmyeegw.exe File opened (read-only) \??\y: lkmyeegw.exe File opened (read-only) \??\b: halmfbxysu.exe File opened (read-only) \??\u: halmfbxysu.exe File opened (read-only) \??\w: halmfbxysu.exe File opened (read-only) \??\e: lkmyeegw.exe File opened (read-only) \??\j: lkmyeegw.exe File opened (read-only) \??\p: halmfbxysu.exe File opened (read-only) \??\z: halmfbxysu.exe File opened (read-only) \??\a: lkmyeegw.exe File opened (read-only) \??\n: lkmyeegw.exe File opened (read-only) \??\r: halmfbxysu.exe File opened (read-only) \??\k: lkmyeegw.exe File opened (read-only) \??\v: lkmyeegw.exe File opened (read-only) \??\t: halmfbxysu.exe File opened (read-only) \??\h: lkmyeegw.exe File opened (read-only) \??\q: lkmyeegw.exe File opened (read-only) \??\u: lkmyeegw.exe File opened (read-only) \??\i: halmfbxysu.exe File opened (read-only) \??\o: lkmyeegw.exe File opened (read-only) \??\m: halmfbxysu.exe File opened (read-only) \??\o: lkmyeegw.exe File opened (read-only) \??\e: lkmyeegw.exe File opened (read-only) \??\s: lkmyeegw.exe File opened (read-only) \??\z: lkmyeegw.exe File opened (read-only) \??\j: lkmyeegw.exe File opened (read-only) \??\m: lkmyeegw.exe File opened (read-only) \??\e: halmfbxysu.exe File opened (read-only) \??\v: halmfbxysu.exe File opened (read-only) \??\i: lkmyeegw.exe File opened (read-only) \??\q: lkmyeegw.exe File opened (read-only) \??\t: lkmyeegw.exe File opened (read-only) \??\o: halmfbxysu.exe File opened (read-only) \??\g: lkmyeegw.exe File opened (read-only) \??\x: lkmyeegw.exe File opened (read-only) \??\x: lkmyeegw.exe File opened (read-only) \??\n: lkmyeegw.exe File opened (read-only) \??\t: lkmyeegw.exe File opened (read-only) \??\j: halmfbxysu.exe File opened (read-only) \??\l: halmfbxysu.exe File opened (read-only) \??\q: halmfbxysu.exe File opened (read-only) \??\y: halmfbxysu.exe File opened (read-only) \??\b: lkmyeegw.exe File opened (read-only) \??\z: lkmyeegw.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" halmfbxysu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" halmfbxysu.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2336-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000800000001747b-9.dat autoit_exe behavioral1/files/0x000e00000001434d-17.dat autoit_exe behavioral1/files/0x0007000000017409-22.dat autoit_exe behavioral1/files/0x00070000000174ac-33.dat autoit_exe behavioral1/files/0x00090000000173e4-68.dat autoit_exe behavioral1/files/0x0008000000013a5d-64.dat autoit_exe behavioral1/files/0x00050000000193c4-82.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\halmfbxysu.exe fa194653ada608d5c37145813acd5715_JaffaCakes118.exe File created C:\Windows\SysWOW64\mtktluujjybkbhn.exe fa194653ada608d5c37145813acd5715_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vpzddyufbneou.exe fa194653ada608d5c37145813acd5715_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\halmfbxysu.exe fa194653ada608d5c37145813acd5715_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mtktluujjybkbhn.exe fa194653ada608d5c37145813acd5715_JaffaCakes118.exe File created C:\Windows\SysWOW64\lkmyeegw.exe fa194653ada608d5c37145813acd5715_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lkmyeegw.exe fa194653ada608d5c37145813acd5715_JaffaCakes118.exe File created C:\Windows\SysWOW64\vpzddyufbneou.exe fa194653ada608d5c37145813acd5715_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll halmfbxysu.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lkmyeegw.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lkmyeegw.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lkmyeegw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal lkmyeegw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lkmyeegw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lkmyeegw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal lkmyeegw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal lkmyeegw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lkmyeegw.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lkmyeegw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal lkmyeegw.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lkmyeegw.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lkmyeegw.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lkmyeegw.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf fa194653ada608d5c37145813acd5715_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language halmfbxysu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mtktluujjybkbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lkmyeegw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpzddyufbneou.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lkmyeegw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa194653ada608d5c37145813acd5715_JaffaCakes118.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFCFE4F2A856E913CD62E7E90BD92E130593267426331D691" fa194653ada608d5c37145813acd5715_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh halmfbxysu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs halmfbxysu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg halmfbxysu.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes fa194653ada608d5c37145813acd5715_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB8F9B0F966F2E2837C3A44819E39E2B0FC03FD43110332E1CC42E808A4" fa194653ada608d5c37145813acd5715_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" halmfbxysu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" halmfbxysu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0866BB4FE6622DFD278D1A88B7B9160" fa194653ada608d5c37145813acd5715_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat halmfbxysu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc halmfbxysu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" halmfbxysu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf halmfbxysu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" halmfbxysu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B12147E338EB53CBBAD73292D4BE" fa194653ada608d5c37145813acd5715_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" halmfbxysu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" halmfbxysu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322C799C2583526A4376D2772E2DD77CF665DC" fa194653ada608d5c37145813acd5715_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC77814E0DAC7B9CC7CE1EC9E34CE" fa194653ada608d5c37145813acd5715_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2864 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 3012 halmfbxysu.exe 3012 halmfbxysu.exe 3012 halmfbxysu.exe 3012 halmfbxysu.exe 3012 halmfbxysu.exe 2800 mtktluujjybkbhn.exe 2800 mtktluujjybkbhn.exe 2800 mtktluujjybkbhn.exe 2800 mtktluujjybkbhn.exe 2724 vpzddyufbneou.exe 2724 vpzddyufbneou.exe 2724 vpzddyufbneou.exe 2724 vpzddyufbneou.exe 2724 vpzddyufbneou.exe 2724 vpzddyufbneou.exe 3044 lkmyeegw.exe 3044 lkmyeegw.exe 3044 lkmyeegw.exe 3044 lkmyeegw.exe 2800 mtktluujjybkbhn.exe 3064 lkmyeegw.exe 3064 lkmyeegw.exe 3064 lkmyeegw.exe 3064 lkmyeegw.exe 2800 mtktluujjybkbhn.exe 2724 vpzddyufbneou.exe 2724 vpzddyufbneou.exe 2800 mtktluujjybkbhn.exe 2800 mtktluujjybkbhn.exe 2724 vpzddyufbneou.exe 2724 vpzddyufbneou.exe 2800 mtktluujjybkbhn.exe 2724 vpzddyufbneou.exe 2724 vpzddyufbneou.exe 2800 mtktluujjybkbhn.exe 2724 vpzddyufbneou.exe 2724 vpzddyufbneou.exe 2800 mtktluujjybkbhn.exe 2724 vpzddyufbneou.exe 2724 vpzddyufbneou.exe 2800 mtktluujjybkbhn.exe 2724 vpzddyufbneou.exe 2724 vpzddyufbneou.exe 2800 mtktluujjybkbhn.exe 2724 vpzddyufbneou.exe 2724 vpzddyufbneou.exe 2800 mtktluujjybkbhn.exe 2724 vpzddyufbneou.exe 2724 vpzddyufbneou.exe 2800 mtktluujjybkbhn.exe 2724 vpzddyufbneou.exe 2724 vpzddyufbneou.exe 2800 mtktluujjybkbhn.exe 2724 vpzddyufbneou.exe 2724 vpzddyufbneou.exe 2800 mtktluujjybkbhn.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 3012 halmfbxysu.exe 3012 halmfbxysu.exe 3012 halmfbxysu.exe 2800 mtktluujjybkbhn.exe 2800 mtktluujjybkbhn.exe 2800 mtktluujjybkbhn.exe 2724 vpzddyufbneou.exe 2724 vpzddyufbneou.exe 2724 vpzddyufbneou.exe 3044 lkmyeegw.exe 3044 lkmyeegw.exe 3044 lkmyeegw.exe 3064 lkmyeegw.exe 3064 lkmyeegw.exe 3064 lkmyeegw.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 3012 halmfbxysu.exe 3012 halmfbxysu.exe 3012 halmfbxysu.exe 2800 mtktluujjybkbhn.exe 2800 mtktluujjybkbhn.exe 2800 mtktluujjybkbhn.exe 2724 vpzddyufbneou.exe 2724 vpzddyufbneou.exe 2724 vpzddyufbneou.exe 3044 lkmyeegw.exe 3044 lkmyeegw.exe 3044 lkmyeegw.exe 3064 lkmyeegw.exe 3064 lkmyeegw.exe 3064 lkmyeegw.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2864 WINWORD.EXE 2864 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2336 wrote to memory of 3012 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 31 PID 2336 wrote to memory of 3012 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 31 PID 2336 wrote to memory of 3012 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 31 PID 2336 wrote to memory of 3012 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 31 PID 2336 wrote to memory of 2800 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 32 PID 2336 wrote to memory of 2800 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 32 PID 2336 wrote to memory of 2800 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 32 PID 2336 wrote to memory of 2800 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 32 PID 2336 wrote to memory of 3044 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 33 PID 2336 wrote to memory of 3044 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 33 PID 2336 wrote to memory of 3044 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 33 PID 2336 wrote to memory of 3044 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 33 PID 2336 wrote to memory of 2724 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 34 PID 2336 wrote to memory of 2724 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 34 PID 2336 wrote to memory of 2724 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 34 PID 2336 wrote to memory of 2724 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 34 PID 3012 wrote to memory of 3064 3012 halmfbxysu.exe 35 PID 3012 wrote to memory of 3064 3012 halmfbxysu.exe 35 PID 3012 wrote to memory of 3064 3012 halmfbxysu.exe 35 PID 3012 wrote to memory of 3064 3012 halmfbxysu.exe 35 PID 2336 wrote to memory of 2864 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 36 PID 2336 wrote to memory of 2864 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 36 PID 2336 wrote to memory of 2864 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 36 PID 2336 wrote to memory of 2864 2336 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 36 PID 2864 wrote to memory of 1688 2864 WINWORD.EXE 38 PID 2864 wrote to memory of 1688 2864 WINWORD.EXE 38 PID 2864 wrote to memory of 1688 2864 WINWORD.EXE 38 PID 2864 wrote to memory of 1688 2864 WINWORD.EXE 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa194653ada608d5c37145813acd5715_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa194653ada608d5c37145813acd5715_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\halmfbxysu.exehalmfbxysu.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\lkmyeegw.exeC:\Windows\system32\lkmyeegw.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3064
-
-
-
C:\Windows\SysWOW64\mtktluujjybkbhn.exemtktluujjybkbhn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2800
-
-
C:\Windows\SysWOW64\lkmyeegw.exelkmyeegw.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3044
-
-
C:\Windows\SysWOW64\vpzddyufbneou.exevpzddyufbneou.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2724
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1688
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD529344e02d68067805dd5cf032680c82c
SHA10e5b30a697e8f9d34da410b195da2e4281043076
SHA2567a8d15ce12c796dbd6482e7d3c8e1c8c84710b7388d7dc0026fcaa23a6ba950a
SHA51209e7c563a333c6cfbb5477fec4ff49a05d71f7f914273b2a9f29a33a1615640e713f87eb84661db4633068a0638c7d1a113661af110a71ac640c2a9efab4d45c
-
Filesize
19KB
MD50a86b0abb99bbb497a0010e421a307d6
SHA15d0e2bf08e6a064711cb9298bb4d226b1a158676
SHA2562e47300050a87eeae89aba610c3c6f7a944712edaa1a2c07e0e95bc4e9a7381a
SHA51274109233236cef93edc024a1d5e7c43f82eecf3c752d58614c41adcc9865fc74f6f20caf69f6a14aadfa65577272ed3b96817e86ea1954222a83e1d999dddb2c
-
Filesize
512KB
MD5bc1577ee5dedca47050fc97a2c958127
SHA14a785e86bced9428a5557708d51683efa3396355
SHA256c36a480f0a96659788566674093692cd3c03199be69e89d8d9cbddaf7d9eaa24
SHA512d3660c5e9073abdcd22ff063b66a37f09b2f4c650283526b7c9b6f3923c3e1bd6d826d1a5bb23d9dcccf9ccf20771a661b603f4bd23ba00d198e329a19fab092
-
Filesize
512KB
MD575abce5f4fb4c23caad52d8355eb6ad5
SHA1aa4940462d403d41512416e305fe9075c4863f31
SHA256f6aad6f6f659ca9c1c97794fc76359ce0212cfc7e1972ccf4f67794312153749
SHA512857c2f87bf3c830d7539054ba75519127f060bbaeca34ab2c75de06f5da75887f69c8ba2710cccf582ca31fa762611cd7675573d1b603080db4504efd74282a3
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD54502b237fe1b239c79ddb3bb349aaaa8
SHA1715b43433d21fbeb18cd37475b73a4e4adb0b858
SHA2561493eafe4bb8092977c444f53f6ff3304324e2747aa58fd3fdda0a3740dbb05c
SHA512f6c9a84a24e34afeac055cd7ccbef5c24a1c4b143ec4f366de3d5c5fffbad20e7288285ef72afe0dd388afebb264aa63022af3e4ea64b311941981315178cb17
-
Filesize
512KB
MD5d35d23d0d2954c44330eedd3b3b435ba
SHA179c4ea2a0feeada453e46828c17e71663078f749
SHA256cfd14ecc804d67ea9229a554105be77e2b8cf4f3f9aad6e4038bc54d6c487142
SHA51214734d9a83595c34626248726877071dfbcffc42f8ee6bce82149eccaf99d95184833626f4d3ee34d47e6a790425d143f54d3c6548fd22f72a2c7e9ed3bc76b9
-
Filesize
512KB
MD5629a567a4213d834d642fc478ff86bd2
SHA1a1032b65423453f3e7f83c721f6965ac79dc7867
SHA256da20459c600ff526e8731723b907fe0348ed6aebef5a1c0b90c68f48df48b50b
SHA51280bd65498581163eb07c261c6fda70544b0ea2810fc2f0e83e4971c098c044aa4d28221143f34b411a6a9174622d82b00a54e8502ebd707cc0d4970faa504fc8
-
Filesize
512KB
MD54294339da2588d22c30d7be4cb7c3fd6
SHA1af1da3bfc5765a8272e0753aacb8efebb7622e09
SHA2568b510bcb5a025994dc514557b087f98e7c38c68455579281dbb94a463eafc0d3
SHA512d65e2042bed275b95d78e6a70d3dc3b689c9aa8712bb3f8eca50fd1a8b31aa3e7bda78810bfd46c658db9de8866bc69d86871bd896244ebc639c7a8d38df7d12