Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2024, 08:53
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
fa194653ada608d5c37145813acd5715_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
fa194653ada608d5c37145813acd5715_JaffaCakes118.exe
-
Size
512KB
-
MD5
fa194653ada608d5c37145813acd5715
-
SHA1
7992964158202ed0a5a68cf970f8a8619dfaa87c
-
SHA256
08c3c75b93f5ff45351e8f2ba9f4af4d7b13cb65093128065c08ed53933dc564
-
SHA512
ce1a0974ff4f009a3fd5cd0bf3907a3fa2e5e6a81af13ba39486f489868ca65412ed064b383bcf6a853e93d98d490fcae3e9f008513e38e47e795761658a3928
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6w:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5D
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" kgfmlwjcnp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kgfmlwjcnp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kgfmlwjcnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kgfmlwjcnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kgfmlwjcnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kgfmlwjcnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kgfmlwjcnp.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" kgfmlwjcnp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation fa194653ada608d5c37145813acd5715_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 5024 kgfmlwjcnp.exe 3884 obxtpvyjadeabns.exe 3412 mniohlgs.exe 4744 bfhysfvchkmhi.exe 1864 mniohlgs.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kgfmlwjcnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kgfmlwjcnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kgfmlwjcnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kgfmlwjcnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kgfmlwjcnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" kgfmlwjcnp.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nkbzzund = "kgfmlwjcnp.exe" obxtpvyjadeabns.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mvwmhtgv = "obxtpvyjadeabns.exe" obxtpvyjadeabns.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bfhysfvchkmhi.exe" obxtpvyjadeabns.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: mniohlgs.exe File opened (read-only) \??\a: kgfmlwjcnp.exe File opened (read-only) \??\k: kgfmlwjcnp.exe File opened (read-only) \??\g: mniohlgs.exe File opened (read-only) \??\r: mniohlgs.exe File opened (read-only) \??\x: mniohlgs.exe File opened (read-only) \??\q: kgfmlwjcnp.exe File opened (read-only) \??\s: mniohlgs.exe File opened (read-only) \??\w: mniohlgs.exe File opened (read-only) \??\y: mniohlgs.exe File opened (read-only) \??\i: kgfmlwjcnp.exe File opened (read-only) \??\p: kgfmlwjcnp.exe File opened (read-only) \??\l: mniohlgs.exe File opened (read-only) \??\s: mniohlgs.exe File opened (read-only) \??\y: kgfmlwjcnp.exe File opened (read-only) \??\b: mniohlgs.exe File opened (read-only) \??\h: mniohlgs.exe File opened (read-only) \??\k: mniohlgs.exe File opened (read-only) \??\t: mniohlgs.exe File opened (read-only) \??\k: mniohlgs.exe File opened (read-only) \??\g: kgfmlwjcnp.exe File opened (read-only) \??\e: mniohlgs.exe File opened (read-only) \??\o: mniohlgs.exe File opened (read-only) \??\i: mniohlgs.exe File opened (read-only) \??\m: kgfmlwjcnp.exe File opened (read-only) \??\r: kgfmlwjcnp.exe File opened (read-only) \??\b: mniohlgs.exe File opened (read-only) \??\n: mniohlgs.exe File opened (read-only) \??\t: mniohlgs.exe File opened (read-only) \??\l: mniohlgs.exe File opened (read-only) \??\n: mniohlgs.exe File opened (read-only) \??\x: mniohlgs.exe File opened (read-only) \??\q: mniohlgs.exe File opened (read-only) \??\z: kgfmlwjcnp.exe File opened (read-only) \??\q: mniohlgs.exe File opened (read-only) \??\a: mniohlgs.exe File opened (read-only) \??\j: mniohlgs.exe File opened (read-only) \??\u: mniohlgs.exe File opened (read-only) \??\b: kgfmlwjcnp.exe File opened (read-only) \??\o: kgfmlwjcnp.exe File opened (read-only) \??\t: kgfmlwjcnp.exe File opened (read-only) \??\a: mniohlgs.exe File opened (read-only) \??\r: mniohlgs.exe File opened (read-only) \??\y: mniohlgs.exe File opened (read-only) \??\p: mniohlgs.exe File opened (read-only) \??\j: kgfmlwjcnp.exe File opened (read-only) \??\u: kgfmlwjcnp.exe File opened (read-only) \??\e: kgfmlwjcnp.exe File opened (read-only) \??\h: kgfmlwjcnp.exe File opened (read-only) \??\p: mniohlgs.exe File opened (read-only) \??\w: kgfmlwjcnp.exe File opened (read-only) \??\x: kgfmlwjcnp.exe File opened (read-only) \??\m: mniohlgs.exe File opened (read-only) \??\v: mniohlgs.exe File opened (read-only) \??\g: mniohlgs.exe File opened (read-only) \??\m: mniohlgs.exe File opened (read-only) \??\n: kgfmlwjcnp.exe File opened (read-only) \??\s: kgfmlwjcnp.exe File opened (read-only) \??\i: mniohlgs.exe File opened (read-only) \??\z: mniohlgs.exe File opened (read-only) \??\e: mniohlgs.exe File opened (read-only) \??\h: mniohlgs.exe File opened (read-only) \??\o: mniohlgs.exe File opened (read-only) \??\z: mniohlgs.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" kgfmlwjcnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" kgfmlwjcnp.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1496-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000235c8-5.dat autoit_exe behavioral2/files/0x00080000000235c4-18.dat autoit_exe behavioral2/files/0x00070000000235c9-28.dat autoit_exe behavioral2/files/0x00070000000235ca-31.dat autoit_exe behavioral2/files/0x0008000000023480-72.dat autoit_exe behavioral2/files/0x0008000000023357-69.dat autoit_exe behavioral2/files/0x000200000001e3e5-84.dat autoit_exe behavioral2/files/0x000200000001e537-98.dat autoit_exe behavioral2/files/0x0009000000023660-597.dat autoit_exe behavioral2/files/0x0009000000023660-605.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\kgfmlwjcnp.exe fa194653ada608d5c37145813acd5715_JaffaCakes118.exe File created C:\Windows\SysWOW64\mniohlgs.exe fa194653ada608d5c37145813acd5715_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bfhysfvchkmhi.exe fa194653ada608d5c37145813acd5715_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mniohlgs.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mniohlgs.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mniohlgs.exe File created C:\Windows\SysWOW64\kgfmlwjcnp.exe fa194653ada608d5c37145813acd5715_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\obxtpvyjadeabns.exe fa194653ada608d5c37145813acd5715_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mniohlgs.exe fa194653ada608d5c37145813acd5715_JaffaCakes118.exe File created C:\Windows\SysWOW64\bfhysfvchkmhi.exe fa194653ada608d5c37145813acd5715_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll kgfmlwjcnp.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mniohlgs.exe File created C:\Windows\SysWOW64\obxtpvyjadeabns.exe fa194653ada608d5c37145813acd5715_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mniohlgs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mniohlgs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mniohlgs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mniohlgs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mniohlgs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mniohlgs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mniohlgs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mniohlgs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mniohlgs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mniohlgs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mniohlgs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mniohlgs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mniohlgs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mniohlgs.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mniohlgs.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mniohlgs.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mniohlgs.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mniohlgs.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mniohlgs.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mniohlgs.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mniohlgs.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mniohlgs.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mniohlgs.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mniohlgs.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mniohlgs.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mniohlgs.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mniohlgs.exe File opened for modification C:\Windows\mydoc.rtf fa194653ada608d5c37145813acd5715_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mniohlgs.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mniohlgs.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mniohlgs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa194653ada608d5c37145813acd5715_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kgfmlwjcnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obxtpvyjadeabns.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mniohlgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfhysfvchkmhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mniohlgs.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings fa194653ada608d5c37145813acd5715_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc kgfmlwjcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" kgfmlwjcnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf kgfmlwjcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332C7F9C5683526A3077D770552CDD7D8065D9" fa194653ada608d5c37145813acd5715_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FFF8482882189042D7217E93BDEEE143593567336336D79D" fa194653ada608d5c37145813acd5715_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7846BC5FE6622A9D17AD1D28A0C9111" fa194653ada608d5c37145813acd5715_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" kgfmlwjcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" kgfmlwjcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAFACDFE65F2E284093A4781EB39E2B08E02F043140338E1CC42EE09A9" fa194653ada608d5c37145813acd5715_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat kgfmlwjcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" kgfmlwjcnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg kgfmlwjcnp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes fa194653ada608d5c37145813acd5715_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs kgfmlwjcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" kgfmlwjcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" kgfmlwjcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B15D47E739ED53BDBAA53292D4C5" fa194653ada608d5c37145813acd5715_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC70C14E5DAB6B8CC7FE0EDE037CF" fa194653ada608d5c37145813acd5715_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh kgfmlwjcnp.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1584 WINWORD.EXE 1584 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 3412 mniohlgs.exe 3412 mniohlgs.exe 3412 mniohlgs.exe 3412 mniohlgs.exe 3412 mniohlgs.exe 3412 mniohlgs.exe 3412 mniohlgs.exe 3412 mniohlgs.exe 5024 kgfmlwjcnp.exe 5024 kgfmlwjcnp.exe 5024 kgfmlwjcnp.exe 5024 kgfmlwjcnp.exe 5024 kgfmlwjcnp.exe 5024 kgfmlwjcnp.exe 5024 kgfmlwjcnp.exe 5024 kgfmlwjcnp.exe 5024 kgfmlwjcnp.exe 5024 kgfmlwjcnp.exe 3884 obxtpvyjadeabns.exe 3884 obxtpvyjadeabns.exe 3884 obxtpvyjadeabns.exe 3884 obxtpvyjadeabns.exe 3884 obxtpvyjadeabns.exe 3884 obxtpvyjadeabns.exe 3884 obxtpvyjadeabns.exe 3884 obxtpvyjadeabns.exe 3884 obxtpvyjadeabns.exe 3884 obxtpvyjadeabns.exe 4744 bfhysfvchkmhi.exe 4744 bfhysfvchkmhi.exe 4744 bfhysfvchkmhi.exe 4744 bfhysfvchkmhi.exe 4744 bfhysfvchkmhi.exe 4744 bfhysfvchkmhi.exe 4744 bfhysfvchkmhi.exe 4744 bfhysfvchkmhi.exe 4744 bfhysfvchkmhi.exe 4744 bfhysfvchkmhi.exe 4744 bfhysfvchkmhi.exe 4744 bfhysfvchkmhi.exe 1864 mniohlgs.exe 1864 mniohlgs.exe 1864 mniohlgs.exe 1864 mniohlgs.exe 1864 mniohlgs.exe 1864 mniohlgs.exe 1864 mniohlgs.exe 1864 mniohlgs.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 3412 mniohlgs.exe 3412 mniohlgs.exe 3412 mniohlgs.exe 5024 kgfmlwjcnp.exe 5024 kgfmlwjcnp.exe 5024 kgfmlwjcnp.exe 3884 obxtpvyjadeabns.exe 4744 bfhysfvchkmhi.exe 3884 obxtpvyjadeabns.exe 4744 bfhysfvchkmhi.exe 3884 obxtpvyjadeabns.exe 4744 bfhysfvchkmhi.exe 1864 mniohlgs.exe 1864 mniohlgs.exe 1864 mniohlgs.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 3412 mniohlgs.exe 3412 mniohlgs.exe 3412 mniohlgs.exe 5024 kgfmlwjcnp.exe 5024 kgfmlwjcnp.exe 5024 kgfmlwjcnp.exe 3884 obxtpvyjadeabns.exe 4744 bfhysfvchkmhi.exe 3884 obxtpvyjadeabns.exe 4744 bfhysfvchkmhi.exe 3884 obxtpvyjadeabns.exe 4744 bfhysfvchkmhi.exe 1864 mniohlgs.exe 1864 mniohlgs.exe 1864 mniohlgs.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1584 WINWORD.EXE 1584 WINWORD.EXE 1584 WINWORD.EXE 1584 WINWORD.EXE 1584 WINWORD.EXE 1584 WINWORD.EXE 1584 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1496 wrote to memory of 5024 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 89 PID 1496 wrote to memory of 5024 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 89 PID 1496 wrote to memory of 5024 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 89 PID 1496 wrote to memory of 3884 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 90 PID 1496 wrote to memory of 3884 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 90 PID 1496 wrote to memory of 3884 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 90 PID 1496 wrote to memory of 3412 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 91 PID 1496 wrote to memory of 3412 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 91 PID 1496 wrote to memory of 3412 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 91 PID 1496 wrote to memory of 4744 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 92 PID 1496 wrote to memory of 4744 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 92 PID 1496 wrote to memory of 4744 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 92 PID 1496 wrote to memory of 1584 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 93 PID 1496 wrote to memory of 1584 1496 fa194653ada608d5c37145813acd5715_JaffaCakes118.exe 93 PID 5024 wrote to memory of 1864 5024 kgfmlwjcnp.exe 96 PID 5024 wrote to memory of 1864 5024 kgfmlwjcnp.exe 96 PID 5024 wrote to memory of 1864 5024 kgfmlwjcnp.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa194653ada608d5c37145813acd5715_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa194653ada608d5c37145813acd5715_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\kgfmlwjcnp.exekgfmlwjcnp.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\mniohlgs.exeC:\Windows\system32\mniohlgs.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1864
-
-
-
C:\Windows\SysWOW64\obxtpvyjadeabns.exeobxtpvyjadeabns.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3884
-
-
C:\Windows\SysWOW64\mniohlgs.exemniohlgs.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3412
-
-
C:\Windows\SysWOW64\bfhysfvchkmhi.exebfhysfvchkmhi.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4744
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4612,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=3936 /prefetch:81⤵PID:3448
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD500e019980d9f778c40ad176da80fcd70
SHA1837dd4635a80c66e79162ca83b2eb8c95d2c35b1
SHA256fca151ea3967b3307a541acaeec7e202c79a4905d990deb45623d7be09822647
SHA51225d8777bbc00c21bca2be99b23ec98726a99592bf6f077b8cd33a50da2f292ca480b817f8db5ca14032eaaf01d2d2a96b7da5e19ae8029209f8e52f8876ea355
-
Filesize
512KB
MD5f5db4ad6dd2479dc42a4c4e71bbd4690
SHA1952aeca1c32bf2887f4415f5e2f1f3602b805878
SHA2566b3f3e4308774c00b505fad8ccb2a6bda533f59b1441290a2c1dfc5d8e08e446
SHA512ca7b75ddd5047f4f65d7366500979696332ccbab1c116e9919170252738ab15525513d778389eb770fe785148141aa1961a5cbd7b3a97d3d2e6e7a82fcd35c57
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
332B
MD560d713c2b9bb1b4529d5a3ed5b60f6d6
SHA17183e8e0cda428a25ff26c00006e9acb5b0ce6bb
SHA2565d5bc2baa5b11af37649f1d2d20a1c259bab9df1024eb9ffa759b250527b5cd2
SHA512b59ea21d714ba8375f0e8b69b238d98a59a7e318ebafeea9d378fd0f025ad00f12077394ccfddec24a102aa7d76f8b53d703a91499b43b4ea67261085bb20ec8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD53980dac96259b77c68118b6e3229cbb5
SHA16341dca39bbaa43f491d2d5bc020b9661adce176
SHA2560f2ec36f038c168eb189fb13e413968314047b6edb9df84b1ff45298508ca43b
SHA5128908f08f9558caf8e6d1ac49be9c18f7a02263a461ad6388c993f7c79ec54b5de8c840f97556705639c1d2716158653e8784941ef80dac6bc3751d9f53cc0502
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD569a1966aae2a47b87c0994c93377dd6d
SHA13deac3a9458609d172e7fa7b24cb865bc851f90d
SHA256134b42202cf99571b517f94b113d5b7ad0b866f112f0845aa82bb002fa2f8d05
SHA512bd7a29b7b9ef8cfc11479644b75bbb85619157c3ffa84719a6a8e20fb053098756fdfda772bcaba8d75770c408c423a990bb48caf3075d59eb902be42c27270f
-
Filesize
512KB
MD5e6b643f37175454416a1b9e206215a71
SHA14429162b13a1373b50a44256ddfb049c12e8fb8a
SHA256a86064302519bfb056c1dfe25f490e199f9eb77d4ba8b1cd28b8fdb8fb1baf2f
SHA51259f4eef276d3fd454925dbb399982d6d8e362228de4445a85937f6ed75a7b5a73886e3bd1082545bf103b40d846f301af1274f954b0d487dba650a7ea5c211e2
-
Filesize
512KB
MD59eebe36f569e1031170d8104e68c22ce
SHA12df225bffad7c2b4b917d80475b6ad2efe8e8321
SHA25654218c33d4e8095f8867125d969101ab3aa54dff050c024772ea2733e179b7bf
SHA512b6929246030151bbd0014c4075458e478210eeea0466ccd2bfb51e347cfffad258c6b68a76ba24885411034833bdbcb885a3e3703e44cd7bc939a236615c56c9
-
Filesize
512KB
MD58b9d3859c2c3adc8a735b13f9b7f9610
SHA14032b59b1567fa4617afd5ce3d90e343a16a2919
SHA256b9a3516fb6c639c9b6790163e93ed03d1d9aca66db9769d8c51889015501342f
SHA5126805cf43d374b19fedd1871f0c6437e1634a862203d675cfa4d61535be04b8a02a9c0d4deae879dc6bfef6c13045f327949efeb23f9fab52638614f021700314
-
Filesize
512KB
MD559c17fb6307cb621831de8ddcec81fde
SHA1347e157402689fc342d993377b20bec59e7a9814
SHA256039ad6268e71799bac3ccc2d0ffeb0f8a348baa208e603382316cf9a60b0192c
SHA512c38db6d7f2df7ca31b8eae5032b765abdcb18d4ee2f572f094c55d7d4266333c5691ca4419bd5f2c11bfd762995e08f8b6ebaae1f0ca7e47ffeab3a2d4aca3d1
-
Filesize
512KB
MD51b01cdb2061244a413bd4b7ccbdd2680
SHA11f50a0695e088c9e073394f6ceec96f997a1a341
SHA256100631ca41a20a100c2b52a41d7db13e4ae63f986e63f0b0ed39d438ab229314
SHA5121fd42c64ba51d385ec452b1c87a46ea4218624ef7fd205dfbbf15d832f2f86c2b68b7d5a41adb157c91d74820f3fd9edadeb089240853a139dfc9d6a43b4ff56
-
Filesize
512KB
MD55d9ac8bbc6c46dc8c4d6eab7da807642
SHA11cfabe28977c3b9f7eb4f9202db0ba8492827391
SHA25606ddd94d7fc2c1f17de61cb1ca068662488b0722052ac9b41c21bf826506caa9
SHA512d52b60c90a2842cc777e12f1744b0f7fa25963e0dacac0bae79a55f1b685e217b6a71d4327fbbe2eedf46686ad96b006cf852847ddf9fc7e3b7b0a4c0583be68
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5c6c8d1922ef4f12221bd8f8257aed41f
SHA152e338ae28de90047f493877298f82676f82b916
SHA2566c164a28b692baebe19ae235456f111b2a2ed2ee4121ca6901d5d891e42b6b0b
SHA512a1c7a4b11f72bf6fb89a103e797e203fd62cc6503b46b84bb4d6740f2cc74f881bea8457227706825cefbb8593cb3137710773631ed36273141532e41486c93b
-
Filesize
512KB
MD515f473bc5e4462a8f781a0d61b060f81
SHA1cdb485a148c3bfa0607347ac81f9a6a3bf245d01
SHA2569957bf90835a979455a67fea53983bb57c6d70fac291986696f33ee052f2ebbf
SHA512b2873864dec60775f722afc37f1d27d76be4330ee115789b84bccd37f1b542580bd370298b5d2d8dcd1292e88889a0097f064d93c8b20d6f87a978a65538bfc3