Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/01/2025, 12:55
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
-
Size
1.9MB
-
MD5
8c450ef4b459456b4b037dbb321619a5
-
SHA1
3a84b8c946a16accb03cb173c87ab465fbbd1194
-
SHA256
4e398a335174371bee9882621b81bef435d9b8c013bd934b9f2f956703b8c7be
-
SHA512
8a11f93a2bf39272c7e768ff636a36a4faa2d424aad6588b59d188355e23627a2107fb58f77f5520caeed48138b0683d6397951426c6e0aaedcae42c6986558e
-
SSDEEP
49152:ydOjNXMu8VaWg/IbwsYRxUGXET3pbjX6JyytOdsi3:IOjtMaWZUxUfT35X06si
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 7 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2704-42-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2740-148-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/1728-152-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2740-217-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/308-221-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2740-319-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2740-387-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" dwme.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts Cloud AV 2012v121.exe -
Executes dropped EXE 7 IoCs
pid Process 2740 dwme.exe 2704 dwme.exe 2812 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 1728 dwme.exe 308 dwme.exe 2808 7EF0.tmp -
Loads dropped DLL 14 IoCs
pid Process 2168 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 2168 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 2168 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 2168 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 2168 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 2168 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 2812 Cloud AV 2012v121.exe 2812 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2740 dwme.exe 2740 dwme.exe 2740 dwme.exe 2740 dwme.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\95C.exe = "C:\\Program Files (x86)\\LP\\1A3A\\95C.exe" dwme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QD3onG4am6W7E88234A = "C:\\Windows\\system32\\Cloud AV 2012v121.exe" JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\D1ivD3onFaHsJdL = "C:\\Users\\Admin\\AppData\\Roaming\\dwme.exe" JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucS2ibD3pGaHsKf8234A = "C:\\Users\\Admin\\AppData\\Roaming\\gS2ibF3pn5Q6W7R\\Cloud AV 2012v121.exe" Cloud AV 2012v121.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cloud AV 2012v121.exe JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe File created C:\Windows\SysWOW64\Cloud AV 2012v121.exe Cloud AV 2012v121.exe -
resource yara_rule behavioral1/memory/2168-2-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral1/memory/2168-26-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral1/memory/2168-28-0x0000000000400000-0x0000000000914000-memory.dmp upx behavioral1/memory/2812-39-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral1/memory/2704-42-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2168-139-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral1/memory/2740-148-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1728-152-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2596-155-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral1/memory/2740-217-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/308-221-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2596-224-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral1/memory/2596-308-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral1/memory/2740-319-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2596-327-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral1/memory/2596-337-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral1/memory/2740-387-0x0000000000400000-0x000000000046B000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\LP\1A3A\7EF0.tmp dwme.exe File created C:\Program Files (x86)\LP\1A3A\95C.exe dwme.exe File opened for modification C:\Program Files (x86)\LP\1A3A\95C.exe dwme.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dwme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dwme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cloud AV 2012v121.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cloud AV 2012v121.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dwme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dwme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7EF0.tmp -
Modifies registry class 10 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400300010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004000000001002000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000000410000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c00000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c0ffffffff00000080000000000000000000000000000000002e2e2e8a0000004b000000000000000000000000000000000000000c0000004b818181c0ffffffffffffffff0000008000000000000000000000000000000000b7b7b7b73838388e00000045000000000000004b0000008000000080818181c0ffffffffffffffffffffffff0000008000000000000000000f0f0f810000004242424242ecececf40b0b0b810000000e00000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002381818181646464a20000004200000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005c000000276c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000809d9d9dc10000005c0c0c0c0cecececf40000007a0c0c0c0cecececf40000007a00000080ffffffff808080ffffffffffffffffffffffffffffffffff00000080a4a4a4c50000005f0c0c0c0cecececf40000007a0f0f0f0fe8e8e8f10000007800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005f0000002a6c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002384848484646464a2000000420000004b00000080000000807e7e7ebfffffffffffffffffffffffff0000008000000000000000000f0f0f810000004245454545ecececf40a0a0a800000000e00000000000000000000000b0000004b7e7e7ebfffffffffffffffff0000008000000000000000000000000000000000c0c0c0c03636368d00000045000000000000000000000000000000000000000b0000004b7e7e7ebfffffffff0000008000000000000000000000000000000000272727880000004b0000000000000000000000000000000000000000000000000000000b0000004b7e7e7ebf0000004b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0000003f0000000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000003569696969000000700000008000000080030e0087223c01a8526a02ce5b8304e2466502cc1b3001a30000004b0000000000000000000000000000000000000058b0b0b0b0000000adfffffcffecf6d5ffb6dc58ffc7df50ffd0e160ffd5e185ffbdd76cffb1cc64ff344e02c00306000d000000000000000000000000000000a5ffffffff000000c01a19008d788901dbdde84efdedf487ffcbdc29ffa5bd17ffa8c23bffbdd16eff89a231f6242801bb0000004b0000000000000000000000c0ffffffff7f7f7fffccd873ffdbe244fff7fa6effdee858ffcbd75cffe9ecceffb9ca76ff8daf2affb1bd6cff708338ff101601a50000000000000000000000c0ffffffff000000a6adb80aeafafbf7fffefdb3ff808827c9090b00550000004d0001004e494e0dac8d9b33ff7b8647ff252d05cf0000000000000000000000c0ffffffff000000a6b7bb01f2fefefbfffeffe9ff27250c750101004e0000004d0000004d1618016c787e06ff6d6f2dff2f3203e20000000000000000000000c0ffffffff030303a8746b02d3d1cc59fddcd268ff7c6d25bf030400500000004d0000004d615625b3b2aa6aff9c966dff252702cf0000000000000000000000e07f7f7fff030303d6413a0a99a1983bf2ded59afebaa956f56d5f2db8241e0e7266582ab4aa9856f3ccc49bfe969063ff121501a60000004b00000080000000c07f7f7fff0e0e0eb014130db2473a0cc9baa76af6ddd0aaffcfbd8fffbeaa70ffcbba8affdccdaeffad9d69f4afa888ff0003008100000080ffffffffffffffffffffffffffffffffffffffff191613b8584217b0aa8d58f0d2c49ffce6dcc7fed3c49efbab8e58ef473208a5f7f6f3ff0000008000000080ffffffff808080ff808080ff808080ffffffffff1f1f1fbc3e3e3e78524531976c501ec4785a15da6c511ec4514531973e3f3e79ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff333333ca66666694666666946666669466666694666666946666669466666694ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff7f7f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff000000c000000080000000800000008000000080000000800000008000000080000000800000004b0000004b0000008000000080ffffffff00000080000000800000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004b000000800000004b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8ff0000f0ff0000e0f30000c0f1000000c0000000c000000000000000000000000000000000000000c0000000c00000c0f10000e0f30000f0ff0000f8ff0000c0030000c0010000c0000000c0000000c0000000c0000000c0000000c000000000000000000000000000000000000000000000000000000001ff0000c7ff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\LastAdvertisement = "133815939457484000" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133698140141790000" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010003000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000eac000000000000002000000e80709004100720067006a0062006500780020002000320020004100620020005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000f0a60cf6c2fdda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80709004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000f034cceec2fdda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2812 Cloud AV 2012v121.exe 2812 Cloud AV 2012v121.exe 2812 Cloud AV 2012v121.exe 2812 Cloud AV 2012v121.exe 2812 Cloud AV 2012v121.exe 2812 Cloud AV 2012v121.exe 2812 Cloud AV 2012v121.exe 2812 Cloud AV 2012v121.exe 2740 dwme.exe 2740 dwme.exe 2740 dwme.exe 2740 dwme.exe 2740 dwme.exe 2740 dwme.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2740 dwme.exe 2740 dwme.exe 2740 dwme.exe 2740 dwme.exe 2740 dwme.exe 2740 dwme.exe 2740 dwme.exe 2740 dwme.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 2348 msiexec.exe Token: SeTakeOwnershipPrivilege 2348 msiexec.exe Token: SeSecurityPrivilege 2348 msiexec.exe Token: SeShutdownPrivilege 2072 explorer.exe Token: SeShutdownPrivilege 2072 explorer.exe Token: SeShutdownPrivilege 2072 explorer.exe Token: SeShutdownPrivilege 2072 explorer.exe Token: SeShutdownPrivilege 2072 explorer.exe Token: SeShutdownPrivilege 2072 explorer.exe Token: SeShutdownPrivilege 2072 explorer.exe Token: SeShutdownPrivilege 2072 explorer.exe Token: SeShutdownPrivilege 2072 explorer.exe Token: SeShutdownPrivilege 2072 explorer.exe Token: SeShutdownPrivilege 2072 explorer.exe Token: SeShutdownPrivilege 2072 explorer.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2596 Cloud AV 2012v121.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe -
Suspicious use of SendNotifyMessage 35 IoCs
pid Process 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2596 Cloud AV 2012v121.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe 2072 explorer.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2168 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 2812 Cloud AV 2012v121.exe 2812 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe 2596 Cloud AV 2012v121.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2740 2168 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 30 PID 2168 wrote to memory of 2740 2168 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 30 PID 2168 wrote to memory of 2740 2168 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 30 PID 2168 wrote to memory of 2740 2168 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 30 PID 2168 wrote to memory of 2704 2168 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 31 PID 2168 wrote to memory of 2704 2168 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 31 PID 2168 wrote to memory of 2704 2168 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 31 PID 2168 wrote to memory of 2704 2168 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 31 PID 2168 wrote to memory of 2812 2168 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 32 PID 2168 wrote to memory of 2812 2168 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 32 PID 2168 wrote to memory of 2812 2168 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 32 PID 2168 wrote to memory of 2812 2168 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 32 PID 2812 wrote to memory of 2596 2812 Cloud AV 2012v121.exe 33 PID 2812 wrote to memory of 2596 2812 Cloud AV 2012v121.exe 33 PID 2812 wrote to memory of 2596 2812 Cloud AV 2012v121.exe 33 PID 2812 wrote to memory of 2596 2812 Cloud AV 2012v121.exe 33 PID 2740 wrote to memory of 1728 2740 dwme.exe 36 PID 2740 wrote to memory of 1728 2740 dwme.exe 36 PID 2740 wrote to memory of 1728 2740 dwme.exe 36 PID 2740 wrote to memory of 1728 2740 dwme.exe 36 PID 2740 wrote to memory of 308 2740 dwme.exe 37 PID 2740 wrote to memory of 308 2740 dwme.exe 37 PID 2740 wrote to memory of 308 2740 dwme.exe 37 PID 2740 wrote to memory of 308 2740 dwme.exe 37 PID 2740 wrote to memory of 2808 2740 dwme.exe 39 PID 2740 wrote to memory of 2808 2740 dwme.exe 39 PID 2740 wrote to memory of 2808 2740 dwme.exe 39 PID 2740 wrote to memory of 2808 2740 dwme.exe 39 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" dwme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer dwme.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\dwme.exe"C:\Users\Admin\AppData\Local\Temp\dwme.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\dwme.exeC:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Users\Admin\AppData\Roaming\A9146\7D81A.exe%C:\Users\Admin\AppData\Roaming\A91463⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\dwme.exeC:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Program Files (x86)\464C9\lvvm.exe%C:\Program Files (x86)\464C93⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:308
-
-
C:\Program Files (x86)\LP\1A3A\7EF0.tmp"C:\Program Files (x86)\LP\1A3A\7EF0.tmp"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808
-
-
-
C:\Users\Admin\AppData\Roaming\dwme.exeC:\Users\Admin\AppData\Roaming\dwme.exe auto2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2704
-
-
C:\Windows\SysWOW64\Cloud AV 2012v121.exeC:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Roaming\gS2ibF3pn5Q6W7R\Cloud AV 2012v121.exeC:\Users\Admin\AppData\Roaming\gS2ibF3pn5Q6W7R\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2596
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2072
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300B
MD579fc18557d026ab468892c6106633ad4
SHA18786bd927c5f97c44f776a29efa8300a3ee3e03e
SHA256af53c8b9634fda741431ba598511f095c3c520a9529da103370a10ad0194c3b5
SHA51284a4233efd7be69570f068a8ee5896208c2578c99a1683f711e68ce4f612f6d455b2e89618fe9dd6e3f91c1da68589e024f1307c27d19ff9febc814dee3ae85d
-
Filesize
696B
MD54f6dc49499df64dd6599a5723703b523
SHA18d095b6055fb96c9ee7f042ffb9d232aa8e6a6a5
SHA25631b194134661f88549b2263a80f07e9cd7b24e5be7488a9260cf5590d9855b22
SHA51277709fd8a9b427174ec03fb1a1c5600d9d56f0a08c110c32042374452da17f599355c3c7cdbb395b028686b02f7f9e0688ebd6ceddbb30de99f809e79b4112fd
-
Filesize
1KB
MD542bf2dcb117bb0d85c775016e00330c6
SHA15137088ccc567320055693e9ce107797efa3aeb7
SHA256297f60ed99994647ebe5c714bda74d7a547db207367bf35ab4e924680ca27a6d
SHA512fd36c2cbba246e4f16c33b093f6b37654aef157481892d4031c81e1ae7172a981fcc786627b95efd4bd6f7460beb40e7a9bdacc611c61a87975f81915890d5dc
-
Filesize
1KB
MD54dd5188bb5a743ecd187397cbc4deff2
SHA195f7b1659bc5d9a28a8535efeb9f828831a77eba
SHA256ebc1e0d2a5d2ddd2468ba277701e869a1d9c3f57ac7013bbc8ae5879010c3bc9
SHA5129b58bbf9a8722096b50781b6a70fb60f3e803d227d452f2519fbbd534626d6e613d1b33ac1852dc8f706a01d197b7e5b587c4ae4a8fa8f5d22953fc13ac7f2a9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012\Cloud AV 2012.lnk
Filesize1KB
MD5c46896dabbedb7001bc7f8b129368826
SHA1ccb3bfdd216e26b542d76243ce16dd8a19963f99
SHA256f8a1a2fb3288bda49c7fdb347bf66b756e471dd3047883c60f6076171b4169e2
SHA5121da3516f4d64b8ada0b381e88bf92a586010ace14ffc6f5f9991be67c83a59b4e65ef62fa9003e384c25751e6bb012bd6a1c00ddfea4952200a6263178e2d70e
-
Filesize
1KB
MD5832714f96516cf127eeccbc92937c0bb
SHA1ad7aef128242e0ff0d1b91e984d87fcea41cf07e
SHA2564af5eff1f446f1d6a4f7bbcb3ad39b6dcf76bbede7819deb4f13822733f99506
SHA5129a5649f2aa84344465905eebcc8f300f01690217971eae91548b023c70e3cc0bb1a02d4fe6bea48be7c86d78d7e29e08db99e12454b2eb9f3e045e9a4a883413
-
Filesize
12KB
MD5bb87f71a6e7f979fcb716926d452b6a8
SHA1f41e3389760eaea099720e980e599a160f0413b9
SHA25614c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84
SHA512e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d
-
Filesize
1KB
MD548720c52fe63052e0944e22a0fb4decc
SHA10493a546116713e9fc73d99a055508bddd1a971f
SHA2569bf143f08bd5438cb8a6d55b49a3216f948abfaf427a72946b0c4754e36bd832
SHA512ca94814a81804064e764f960dd40294609f13207b01bcff81609f3953b0b20e816dfde753c4488ce2b7a475e722568646e6651ae587f07e1d6c2f7fb93f4c97e
-
Filesize
1KB
MD5da92c10d26caf9083835ea4e9c9d39d9
SHA15248b4965b5b3aeca5dd12f59dcae26d0186b052
SHA256ccf1bd93891bb2e22540ef9baf3acc2e7a30c46054cb12b08567a43ac3fdc8ae
SHA51228e848434bba3facc9a92a9d6fdfc1257261d01a818ef389db3b37c0103451d51c62efa6ac41453f42de22e685d7f55d00405a63dec8dd2928e856fb18becff5
-
Filesize
1KB
MD5f48cfb5db32cdf990f35a5ef9146dbf4
SHA109b4f991e17aba915160f6c153c6d78e2d4aa4d9
SHA25672439cac78aae2122ddea93a12f562ea85c9fb909bef25cae982480a2d51f397
SHA512385c74297ee70bdce1cf2dbcafd95e1d96f1b9ffd0fac713d614f84b9d02c28359276434ea164082ae46b312f40dd9911a27526df2ef3613118a0efc9271d301
-
Filesize
99KB
MD5ac9682380b3c94ffe32d0aca1a53d53e
SHA17c1485c7d2720d433306ff5c86fd944331bc4447
SHA256cd0e4cd89551d243fd1365950d28470d56a09f29e834d13288f6ca1aff4c1626
SHA512978eaa0bfd1c62d4e7eaac0470ed29dfcc683aef8b087fbd76caf1218d700010d1bb2ae1d155811665e52c842326bef1779d082161b72c8c25c8e6167ea12eb9
-
Filesize
279KB
MD5c97ff984c8643e9a8404592683cd7162
SHA19f0e2724d047c794b4457fb799cc6e96438a7292
SHA2561c5529c199a8a1744246396812a2e90c847ca78a6a438592010fe1b0573fdf32
SHA512f18481023fc45bc8618dd2aa481d806d1c799b5a635ed2ad64be0ed3f26470330973bfa04a56349f8cc473761bab1ea1780d07c7d77b5895b4aef0219e7a4bf6
-
Filesize
1.9MB
MD58c450ef4b459456b4b037dbb321619a5
SHA13a84b8c946a16accb03cb173c87ab465fbbd1194
SHA2564e398a335174371bee9882621b81bef435d9b8c013bd934b9f2f956703b8c7be
SHA5128a11f93a2bf39272c7e768ff636a36a4faa2d424aad6588b59d188355e23627a2107fb58f77f5520caeed48138b0683d6397951426c6e0aaedcae42c6986558e