Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 11:47
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe
-
Size
1.9MB
-
MD5
560c57996398b6d5fcda78ca1372dfe7
-
SHA1
2881fb19501b0bfb91cd80b0270e7bbc04853a27
-
SHA256
72a9721c2098fa1760d735bf2482caee20df5b3b56437ab776639825f4f0f8a7
-
SHA512
f520e3bc1d3df2dfe34758dbab202a476223973db52b3b8d0e262d5816a1d184d919b9d53e4ef0f2b93f4b1b63ee3bf211254fd2051a32a2987978496bf4db44
-
SSDEEP
24576:Uc9ZDtTS7od7341D2+jjqBicDSdwAO3BECoRypw649dq3YayQUP99R11GJ:Ucdh73WD2IcicDsZO3Bjw964zqOt114
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 7 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2716-43-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2820-119-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1368-123-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2820-194-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/112-198-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2820-302-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2820-371-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" dwme.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts Cloud AV 2012v121.exe -
Executes dropped EXE 7 IoCs
pid Process 2820 dwme.exe 2716 dwme.exe 2304 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 1368 dwme.exe 112 dwme.exe 1872 D124.tmp -
Loads dropped DLL 14 IoCs
pid Process 2228 JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe 2228 JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe 2228 JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe 2228 JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe 2228 JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe 2228 JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe 2304 Cloud AV 2012v121.exe 2304 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2820 dwme.exe 2820 dwme.exe 2820 dwme.exe 2820 dwme.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BVrlONtxPuSiDoG8234A = "C:\\Windows\\system32\\Cloud AV 2012v121.exe" JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ItxP0ycS1v3n4m5 = "C:\\Users\\Admin\\AppData\\Roaming\\dwme.exe" JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HIVrzONtx0c2b3n8234A = "C:\\Users\\Admin\\AppData\\Roaming\\pNyxA0uvSiFpGaH\\Cloud AV 2012v121.exe" Cloud AV 2012v121.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\D5A.exe = "C:\\Program Files (x86)\\LP\\8E3E\\D5A.exe" dwme.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cloud AV 2012v121.exe Cloud AV 2012v121.exe File created C:\Windows\SysWOW64\Cloud AV 2012v121.exe JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe -
resource yara_rule behavioral1/memory/2228-2-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral1/memory/2228-28-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral1/memory/2228-29-0x0000000000400000-0x0000000000914000-memory.dmp upx behavioral1/memory/2304-40-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral1/memory/2716-43-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2820-119-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1368-123-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2652-126-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral1/memory/2820-194-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/112-198-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2652-204-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral1/memory/2652-294-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral1/memory/2820-302-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2652-309-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral1/memory/2820-371-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\8E3E\D5A.exe dwme.exe File opened for modification C:\Program Files (x86)\LP\8E3E\D5A.exe dwme.exe File opened for modification C:\Program Files (x86)\LP\8E3E\D124.tmp dwme.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dwme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dwme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D124.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dwme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dwme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cloud AV 2012v121.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cloud AV 2012v121.exe -
Modifies registry class 10 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400300010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004000000001002000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000000410000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c00000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c0ffffffff00000080000000000000000000000000000000002e2e2e8a0000004b000000000000000000000000000000000000000c0000004b818181c0ffffffffffffffff0000008000000000000000000000000000000000b7b7b7b73838388e00000045000000000000004b0000008000000080818181c0ffffffffffffffffffffffff0000008000000000000000000f0f0f810000004242424242ecececf40b0b0b810000000e00000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002381818181646464a20000004200000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005c000000276c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000809d9d9dc10000005c0c0c0c0cecececf40000007a0c0c0c0cecececf40000007a00000080ffffffff808080ffffffffffffffffffffffffffffffffff00000080a4a4a4c50000005f0c0c0c0cecececf40000007a0f0f0f0fe8e8e8f10000007800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005f0000002a6c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002384848484646464a2000000420000004b00000080000000807e7e7ebfffffffffffffffffffffffff0000008000000000000000000f0f0f810000004245454545ecececf40a0a0a800000000e00000000000000000000000b0000004b7e7e7ebfffffffffffffffff0000008000000000000000000000000000000000c0c0c0c03636368d00000045000000000000000000000000000000000000000b0000004b7e7e7ebfffffffff0000008000000000000000000000000000000000272727880000004b0000000000000000000000000000000000000000000000000000000b0000004b7e7e7ebf0000004b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0000003f0000000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000003569696969000000700000008000000080030e0087223c01a8526a02ce5b8304e2466502cc1b3001a30000004b0000000000000000000000000000000000000058b0b0b0b0000000adfffffcffecf6d5ffb6dc58ffc7df50ffd0e160ffd5e185ffbdd76cffb1cc64ff344e02c00306000d000000000000000000000000000000a5ffffffff000000c01a19008d788901dbdde84efdedf487ffcbdc29ffa5bd17ffa8c23bffbdd16eff89a231f6242801bb0000004b0000000000000000000000c0ffffffff7f7f7fffccd873ffdbe244fff7fa6effdee858ffcbd75cffe9ecceffb9ca76ff8daf2affb1bd6cff708338ff101601a50000000000000000000000c0ffffffff000000a6adb80aeafafbf7fffefdb3ff808827c9090b00550000004d0001004e494e0dac8d9b33ff7b8647ff252d05cf0000000000000000000000c0ffffffff000000a6b7bb01f2fefefbfffeffe9ff27250c750101004e0000004d0000004d1618016c787e06ff6d6f2dff2f3203e20000000000000000000000c0ffffffff030303a8746b02d3d1cc59fddcd268ff7c6d25bf030400500000004d0000004d615625b3b2aa6aff9c966dff252702cf0000000000000000000000e07f7f7fff030303d6413a0a99a1983bf2ded59afebaa956f56d5f2db8241e0e7266582ab4aa9856f3ccc49bfe969063ff121501a60000004b00000080000000c07f7f7fff0e0e0eb014130db2473a0cc9baa76af6ddd0aaffcfbd8fffbeaa70ffcbba8affdccdaeffad9d69f4afa888ff0003008100000080ffffffffffffffffffffffffffffffffffffffff191613b8584217b0aa8d58f0d2c49ffce6dcc7fed3c49efbab8e58ef473208a5f7f6f3ff0000008000000080ffffffff808080ff808080ff808080ffffffffff1f1f1fbc3e3e3e78524531976c501ec4785a15da6c511ec4514531973e3f3e79ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff333333ca66666694666666946666669466666694666666946666669466666694ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff7f7f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff000000c000000080000000800000008000000080000000800000008000000080000000800000004b0000004b0000008000000080ffffffff00000080000000800000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004b000000800000004b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8ff0000f0ff0000e0f30000c0f1000000c0000000c000000000000000000000000000000000000000c0000000c00000c0f10000e0f30000f0ff0000f8ff0000c0030000c0010000c0000000c0000000c0000000c0000000c0000000c000000000000000000000000000000000000000000000000000000001ff0000c7ff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010003000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000eac000000000000002000000e80709004100720067006a0062006500780020002000320020004100620020005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000f0a60cf6c2fdda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80709004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000f034cceec2fdda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133698140141790000" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\LastAdvertisement = "133814170756392000" explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2304 Cloud AV 2012v121.exe 2304 Cloud AV 2012v121.exe 2304 Cloud AV 2012v121.exe 2304 Cloud AV 2012v121.exe 2304 Cloud AV 2012v121.exe 2304 Cloud AV 2012v121.exe 2820 dwme.exe 2820 dwme.exe 2820 dwme.exe 2820 dwme.exe 2820 dwme.exe 2820 dwme.exe 2304 Cloud AV 2012v121.exe 2304 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2820 dwme.exe 2820 dwme.exe 2820 dwme.exe 2820 dwme.exe 2820 dwme.exe 2820 dwme.exe 2820 dwme.exe 2820 dwme.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeRestorePrivilege 2148 msiexec.exe Token: SeTakeOwnershipPrivilege 2148 msiexec.exe Token: SeSecurityPrivilege 2148 msiexec.exe Token: SeShutdownPrivilege 1268 explorer.exe Token: SeShutdownPrivilege 1268 explorer.exe Token: SeShutdownPrivilege 1268 explorer.exe Token: SeShutdownPrivilege 1268 explorer.exe Token: SeShutdownPrivilege 1268 explorer.exe Token: SeShutdownPrivilege 1268 explorer.exe Token: SeShutdownPrivilege 1268 explorer.exe Token: SeShutdownPrivilege 1268 explorer.exe Token: SeShutdownPrivilege 1268 explorer.exe Token: SeShutdownPrivilege 1268 explorer.exe Token: SeShutdownPrivilege 1268 explorer.exe Token: SeShutdownPrivilege 1268 explorer.exe Token: SeShutdownPrivilege 1268 explorer.exe Token: SeShutdownPrivilege 1268 explorer.exe Token: SeShutdownPrivilege 1268 explorer.exe Token: SeShutdownPrivilege 1268 explorer.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 2652 Cloud AV 2012v121.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe -
Suspicious use of SendNotifyMessage 23 IoCs
pid Process 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 2652 Cloud AV 2012v121.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe 1268 explorer.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2228 JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe 2304 Cloud AV 2012v121.exe 2304 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe 2652 Cloud AV 2012v121.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2820 2228 JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe 30 PID 2228 wrote to memory of 2820 2228 JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe 30 PID 2228 wrote to memory of 2820 2228 JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe 30 PID 2228 wrote to memory of 2820 2228 JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe 30 PID 2228 wrote to memory of 2716 2228 JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe 31 PID 2228 wrote to memory of 2716 2228 JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe 31 PID 2228 wrote to memory of 2716 2228 JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe 31 PID 2228 wrote to memory of 2716 2228 JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe 31 PID 2228 wrote to memory of 2304 2228 JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe 32 PID 2228 wrote to memory of 2304 2228 JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe 32 PID 2228 wrote to memory of 2304 2228 JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe 32 PID 2228 wrote to memory of 2304 2228 JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe 32 PID 2304 wrote to memory of 2652 2304 Cloud AV 2012v121.exe 33 PID 2304 wrote to memory of 2652 2304 Cloud AV 2012v121.exe 33 PID 2304 wrote to memory of 2652 2304 Cloud AV 2012v121.exe 33 PID 2304 wrote to memory of 2652 2304 Cloud AV 2012v121.exe 33 PID 2820 wrote to memory of 1368 2820 dwme.exe 35 PID 2820 wrote to memory of 1368 2820 dwme.exe 35 PID 2820 wrote to memory of 1368 2820 dwme.exe 35 PID 2820 wrote to memory of 1368 2820 dwme.exe 35 PID 2820 wrote to memory of 112 2820 dwme.exe 37 PID 2820 wrote to memory of 112 2820 dwme.exe 37 PID 2820 wrote to memory of 112 2820 dwme.exe 37 PID 2820 wrote to memory of 112 2820 dwme.exe 37 PID 2820 wrote to memory of 1872 2820 dwme.exe 40 PID 2820 wrote to memory of 1872 2820 dwme.exe 40 PID 2820 wrote to memory of 1872 2820 dwme.exe 40 PID 2820 wrote to memory of 1872 2820 dwme.exe 40 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer dwme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" dwme.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\dwme.exe"C:\Users\Admin\AppData\Local\Temp\dwme.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\dwme.exeC:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Users\Admin\AppData\Roaming\EADC2\DBD8E.exe%C:\Users\Admin\AppData\Roaming\EADC23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1368
-
-
C:\Users\Admin\AppData\Local\Temp\dwme.exeC:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Program Files (x86)\C2966\lvvm.exe%C:\Program Files (x86)\C29663⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:112
-
-
C:\Program Files (x86)\LP\8E3E\D124.tmp"C:\Program Files (x86)\LP\8E3E\D124.tmp"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1872
-
-
-
C:\Users\Admin\AppData\Roaming\dwme.exeC:\Users\Admin\AppData\Roaming\dwme.exe auto2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2716
-
-
C:\Windows\SysWOW64\Cloud AV 2012v121.exeC:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Roaming\pNyxA0uvSiFpGaH\Cloud AV 2012v121.exeC:\Users\Admin\AppData\Roaming\pNyxA0uvSiFpGaH\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2652
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1268
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300B
MD57b1235fbfef86c5e53a2e4fb6e38765a
SHA112371b3665c123668cd0b243c41ab06c2c10e854
SHA2565d80b7cc60ca67127125e0c4462136bff3873c80bdec98b7bffea2f8b18639aa
SHA512c3fdaf3280ca392d2ce9d0e3bc4d2bce09ce4c12c2b653edff354335c3615592ae12aada9f2a1a3316c8674ef0dad4959978e314f3dc098ade2a2cb020d6fd47
-
Filesize
696B
MD57fdea80b614e9c89dc668191affdc131
SHA123dc28a6264451d4338df3eaa0b7422b4b2468bf
SHA2567d54a5e5dd04353d521d7132838813554cf10d4f2a618eb2b7b5ccd975c26e74
SHA51213e5ed1e3cbe2312a582f5e5bf5e1fe073216ae4ada6f747f0b7b2e1d021b76d08b93f8957df8bcad4c2c08bf3d5b3eb7449b20392161500561856759280ac08
-
Filesize
1KB
MD512509006c636251a57d0bc705090b737
SHA16d9609cd463790dd11b1484f6a1ef9f6c2c0a1e7
SHA256632dbec073f5db24b78b99cf6a89b62d199754922fb14703e9e9b86d85090cfc
SHA512a7ffd0248e4711fc5cb978952dc465f2f42d2064a55777c0019d5a4a674a3505d69448930993cdf2f1f92363415b7bb9c7052729b2ff9d38f7a20c5e7e000f60
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012\Cloud AV 2012.lnk
Filesize1KB
MD53aec0d13044e467c048095ce87568da5
SHA1784cbec652a210d3139fd4360b98fc7b6dc8fdbe
SHA25607cfe63f5811d4a1fd1eb14243611ed191dadb733aeecac1437cf5e8196dac61
SHA512c118b29d0bfa892fa9754d054745123d5a1dfccd478eb5220fdebcac92ece67426066bafceed7087eb6c5a9463631204aae64a47e2e9b19b7fd08d92c643b3b3
-
Filesize
1KB
MD5e7f5da6edc5f0e41120248aa7ce7bc90
SHA16ac49387d136200c5406dc6232c731cf17f2421c
SHA256afaac1d908ff3b41c5ecc81c1db731b4bd06b6105ff53982570e15173632d9e6
SHA512f980ed1ed3e9a3f2b62c08fa4408e2e324ee0941e4e994257361a68a736490c2864f2bfdeee14ea3cc684b68bcc0d43749716d10ad5030477652f69507cb7c3f
-
Filesize
12KB
MD5bb87f71a6e7f979fcb716926d452b6a8
SHA1f41e3389760eaea099720e980e599a160f0413b9
SHA25614c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84
SHA512e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d
-
Filesize
1KB
MD5dcbef6ada34d04a250e091ae2a6e3fa3
SHA1a88c3f8d7ca6648685070cf48296506ee98ff530
SHA256601195cc2c0e7786ef988e418cbeaa8fc7c7131c157e9027da06152f493947f0
SHA512aba33ce8c56574068651fe5dd28bd6c44db28fc406de23c06a545f2285c0417a025402a928b299ba7f7c2069617de59b4151e3e37b9cd1aceeafb09c469828ba
-
Filesize
1KB
MD57b9ba10c96d2d607c3d386d2a91ba265
SHA15f058d62033bf4f9f5b43d19205f07661439d299
SHA25636383c9b0bb89aec491d1b9cd71d894f8c9708687bc4b35108446f07dc626b68
SHA512b3787f350b3fbf006f71b7a243df286dbb2c5f5d9a733151c99cbb417a75022a213e0575f0660c259614b876883e769de1fbdae4d032c22d57e8a89e94535a82
-
Filesize
1KB
MD5f48cfb5db32cdf990f35a5ef9146dbf4
SHA109b4f991e17aba915160f6c153c6d78e2d4aa4d9
SHA25672439cac78aae2122ddea93a12f562ea85c9fb909bef25cae982480a2d51f397
SHA512385c74297ee70bdce1cf2dbcafd95e1d96f1b9ffd0fac713d614f84b9d02c28359276434ea164082ae46b312f40dd9911a27526df2ef3613118a0efc9271d301
-
Filesize
98KB
MD5452ca0be44887092384b55fbb84d79c7
SHA1c51135c52fdff98dacc66b1bbb5dd215b90d3a8b
SHA256fe1aa7fbb7f031ee7e5213dd6656d1502f127f6ddbd5b9aab8f6d880031ea688
SHA5129fb18a250f93fba63cf40e8efe58ef687ad197f764f1f16b23a9cbf6efc64fe60a75b523ff1c8876fa70f597f8149139410396c03db58294fce5019ea627ff07
-
Filesize
277KB
MD56c7fd9ac3c7b209e7d376732d24fcc9e
SHA10f0627913b903f8f3ffb4e72036369d5b0a3130f
SHA25631ea4bb0be33dc11d75951c1fcc0496a90fdb0057c262579326f89d42b927ff9
SHA512518e91820855d8088b474bc843d5d1fb72349b9f37b15dc89f8e72c45a9b935bc1a357f999a5371020edcf739a79636c22478c11a291192a5ac28c164e54e4af
-
Filesize
1.9MB
MD5560c57996398b6d5fcda78ca1372dfe7
SHA12881fb19501b0bfb91cd80b0270e7bbc04853a27
SHA25672a9721c2098fa1760d735bf2482caee20df5b3b56437ab776639825f4f0f8a7
SHA512f520e3bc1d3df2dfe34758dbab202a476223973db52b3b8d0e262d5816a1d184d919b9d53e4ef0f2b93f4b1b63ee3bf211254fd2051a32a2987978496bf4db44