Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
100s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/01/2025, 16:05
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_0f3f2efc061b947417b5091581387037.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_0f3f2efc061b947417b5091581387037.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_0f3f2efc061b947417b5091581387037.exe
-
Size
608KB
-
MD5
0f3f2efc061b947417b5091581387037
-
SHA1
83bc2c190a06cf743e20a1b9e78fcc3b4ef0dac4
-
SHA256
9e3b6bfecefbae3e35de79a8b6ca392f5342e21b1057c6500a5dadba50bf21c6
-
SHA512
cace34a948aeb8193819a112ceb8187f9786763948cb48b6e5541cf9cdbe9f8937f09e5d6878433003737833cc79185d587f1d7d60c92f602b04cba1297d66a1
-
SSDEEP
12288:0BYDZJr1E+3JcdrXxE3Vq4Vcim38bJ6vKDn5gcPUbjC:0qF6+ydroLrJ6vKVgkUb
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 3 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/1968-112-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/664-172-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1968-173-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 3nua.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" aUY5E15SY8.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dooex.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 1204 cmd.exe -
Executes dropped EXE 12 IoCs
pid Process 1480 aUY5E15SY8.exe 2856 dooex.exe 3040 2nua.exe 2744 2nua.exe 2800 2nua.exe 1744 2nua.exe 592 2nua.exe 2012 2nua.exe 1968 3nua.exe 664 3nua.exe 2524 8537.tmp 1152 3nua.exe -
Loads dropped DLL 10 IoCs
pid Process 2448 JaffaCakes118_0f3f2efc061b947417b5091581387037.exe 2448 JaffaCakes118_0f3f2efc061b947417b5091581387037.exe 1480 aUY5E15SY8.exe 1480 aUY5E15SY8.exe 2448 JaffaCakes118_0f3f2efc061b947417b5091581387037.exe 2448 JaffaCakes118_0f3f2efc061b947417b5091581387037.exe 2448 JaffaCakes118_0f3f2efc061b947417b5091581387037.exe 2448 JaffaCakes118_0f3f2efc061b947417b5091581387037.exe 1968 3nua.exe 1968 3nua.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /S" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /p" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /t" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /q" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /A" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /r" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /C" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /g" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /c" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /R" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /i" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /B" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /h" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /x" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /E" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /d" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /Y" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /f" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /V" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /T" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /D" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /F" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /Q" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /G" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /j" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /b" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /s" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /A" aUY5E15SY8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /w" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /Z" dooex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5CE.exe = "C:\\Program Files (x86)\\LP\\88B9\\5CE.exe" 3nua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /X" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /W" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /z" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /L" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /P" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /H" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /J" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /n" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /M" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /k" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /m" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /e" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /u" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /v" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /l" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /K" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /a" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /O" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /I" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /y" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /U" dooex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dooex = "C:\\Users\\Admin\\dooex.exe /o" dooex.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2nua.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2nua.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2748 tasklist.exe 2300 tasklist.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 3040 set thread context of 2744 3040 2nua.exe 36 PID 3040 set thread context of 2800 3040 2nua.exe 37 PID 3040 set thread context of 1744 3040 2nua.exe 38 PID 3040 set thread context of 592 3040 2nua.exe 39 PID 3040 set thread context of 2012 3040 2nua.exe 40 -
resource yara_rule behavioral1/memory/2800-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2800-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2800-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2800-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2800-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2800-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/592-77-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/592-76-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/592-91-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2012-92-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2012-89-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2012-97-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2012-87-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2012-82-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2012-80-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/592-74-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/592-71-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/592-69-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2800-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1968-112-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/664-172-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1968-173-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\88B9\5CE.exe 3nua.exe File opened for modification C:\Program Files (x86)\LP\88B9\5CE.exe 3nua.exe File opened for modification C:\Program Files (x86)\LP\88B9\8537.tmp 3nua.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aUY5E15SY8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8537.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0f3f2efc061b947417b5091581387037.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dooex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1480 aUY5E15SY8.exe 1480 aUY5E15SY8.exe 2800 2nua.exe 1744 2nua.exe 2856 dooex.exe 2856 dooex.exe 2800 2nua.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 1968 3nua.exe 1968 3nua.exe 1968 3nua.exe 1968 3nua.exe 1968 3nua.exe 1968 3nua.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 1968 3nua.exe 1968 3nua.exe 1968 3nua.exe 1968 3nua.exe 1968 3nua.exe 1968 3nua.exe 1968 3nua.exe 1968 3nua.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe 2856 dooex.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1700 explorer.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 2748 tasklist.exe Token: SeRestorePrivilege 2264 msiexec.exe Token: SeTakeOwnershipPrivilege 2264 msiexec.exe Token: SeSecurityPrivilege 2264 msiexec.exe Token: SeDebugPrivilege 2300 tasklist.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: 33 2728 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2728 AUDIODG.EXE Token: 33 2728 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2728 AUDIODG.EXE Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2448 JaffaCakes118_0f3f2efc061b947417b5091581387037.exe 1480 aUY5E15SY8.exe 2856 dooex.exe 3040 2nua.exe 592 2nua.exe 2012 2nua.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2448 wrote to memory of 1480 2448 JaffaCakes118_0f3f2efc061b947417b5091581387037.exe 30 PID 2448 wrote to memory of 1480 2448 JaffaCakes118_0f3f2efc061b947417b5091581387037.exe 30 PID 2448 wrote to memory of 1480 2448 JaffaCakes118_0f3f2efc061b947417b5091581387037.exe 30 PID 2448 wrote to memory of 1480 2448 JaffaCakes118_0f3f2efc061b947417b5091581387037.exe 30 PID 1480 wrote to memory of 2856 1480 aUY5E15SY8.exe 31 PID 1480 wrote to memory of 2856 1480 aUY5E15SY8.exe 31 PID 1480 wrote to memory of 2856 1480 aUY5E15SY8.exe 31 PID 1480 wrote to memory of 2856 1480 aUY5E15SY8.exe 31 PID 2448 wrote to memory of 3040 2448 JaffaCakes118_0f3f2efc061b947417b5091581387037.exe 32 PID 2448 wrote to memory of 3040 2448 JaffaCakes118_0f3f2efc061b947417b5091581387037.exe 32 PID 2448 wrote to memory of 3040 2448 JaffaCakes118_0f3f2efc061b947417b5091581387037.exe 32 PID 2448 wrote to memory of 3040 2448 JaffaCakes118_0f3f2efc061b947417b5091581387037.exe 32 PID 1480 wrote to memory of 2884 1480 aUY5E15SY8.exe 33 PID 1480 wrote to memory of 2884 1480 aUY5E15SY8.exe 33 PID 1480 wrote to memory of 2884 1480 aUY5E15SY8.exe 33 PID 1480 wrote to memory of 2884 1480 aUY5E15SY8.exe 33 PID 2884 wrote to memory of 2748 2884 cmd.exe 35 PID 2884 wrote to memory of 2748 2884 cmd.exe 35 PID 2884 wrote to memory of 2748 2884 cmd.exe 35 PID 2884 wrote to memory of 2748 2884 cmd.exe 35 PID 3040 wrote to memory of 2744 3040 2nua.exe 36 PID 3040 wrote to memory of 2744 3040 2nua.exe 36 PID 3040 wrote to memory of 2744 3040 2nua.exe 36 PID 3040 wrote to memory of 2744 3040 2nua.exe 36 PID 3040 wrote to memory of 2744 3040 2nua.exe 36 PID 3040 wrote to memory of 2800 3040 2nua.exe 37 PID 3040 wrote to memory of 2800 3040 2nua.exe 37 PID 3040 wrote to memory of 2800 3040 2nua.exe 37 PID 3040 wrote to memory of 2800 3040 2nua.exe 37 PID 3040 wrote to memory of 2800 3040 2nua.exe 37 PID 3040 wrote to memory of 2800 3040 2nua.exe 37 PID 3040 wrote to memory of 2800 3040 2nua.exe 37 PID 3040 wrote to memory of 2800 3040 2nua.exe 37 PID 3040 wrote to memory of 1744 3040 2nua.exe 38 PID 3040 wrote to memory of 1744 3040 2nua.exe 38 PID 3040 wrote to memory of 1744 3040 2nua.exe 38 PID 3040 wrote to memory of 1744 3040 2nua.exe 38 PID 3040 wrote to memory of 1744 3040 2nua.exe 38 PID 3040 wrote to memory of 1744 3040 2nua.exe 38 PID 3040 wrote to memory of 1744 3040 2nua.exe 38 PID 3040 wrote to memory of 1744 3040 2nua.exe 38 PID 3040 wrote to memory of 1744 3040 2nua.exe 38 PID 3040 wrote to memory of 1744 3040 2nua.exe 38 PID 3040 wrote to memory of 592 3040 2nua.exe 39 PID 3040 wrote to memory of 592 3040 2nua.exe 39 PID 3040 wrote to memory of 592 3040 2nua.exe 39 PID 3040 wrote to memory of 592 3040 2nua.exe 39 PID 3040 wrote to memory of 592 3040 2nua.exe 39 PID 3040 wrote to memory of 592 3040 2nua.exe 39 PID 3040 wrote to memory of 592 3040 2nua.exe 39 PID 3040 wrote to memory of 592 3040 2nua.exe 39 PID 3040 wrote to memory of 2012 3040 2nua.exe 40 PID 3040 wrote to memory of 2012 3040 2nua.exe 40 PID 3040 wrote to memory of 2012 3040 2nua.exe 40 PID 3040 wrote to memory of 2012 3040 2nua.exe 40 PID 3040 wrote to memory of 2012 3040 2nua.exe 40 PID 3040 wrote to memory of 2012 3040 2nua.exe 40 PID 3040 wrote to memory of 2012 3040 2nua.exe 40 PID 3040 wrote to memory of 2012 3040 2nua.exe 40 PID 2448 wrote to memory of 1968 2448 JaffaCakes118_0f3f2efc061b947417b5091581387037.exe 42 PID 2448 wrote to memory of 1968 2448 JaffaCakes118_0f3f2efc061b947417b5091581387037.exe 42 PID 2448 wrote to memory of 1968 2448 JaffaCakes118_0f3f2efc061b947417b5091581387037.exe 42 PID 2448 wrote to memory of 1968 2448 JaffaCakes118_0f3f2efc061b947417b5091581387037.exe 42 PID 2448 wrote to memory of 1204 2448 JaffaCakes118_0f3f2efc061b947417b5091581387037.exe 45 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 3nua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 3nua.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f3f2efc061b947417b5091581387037.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f3f2efc061b947417b5091581387037.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\aUY5E15SY8.exeC:\Users\Admin\aUY5E15SY8.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\dooex.exe"C:\Users\Admin\dooex.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2856
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del aUY5E15SY8.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
-
-
C:\Users\Admin\2nua.exeC:\Users\Admin\2nua.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\2nua.exe"C:\Users\Admin\2nua.exe"3⤵
- Executes dropped EXE
PID:2744
-
-
C:\Users\Admin\2nua.exe"C:\Users\Admin\2nua.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2800
-
-
C:\Users\Admin\2nua.exe"C:\Users\Admin\2nua.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1744
-
-
C:\Users\Admin\2nua.exe"C:\Users\Admin\2nua.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:592
-
-
C:\Users\Admin\2nua.exe"C:\Users\Admin\2nua.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2012
-
-
-
C:\Users\Admin\3nua.exeC:\Users\Admin\3nua.exe2⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1968 -
C:\Users\Admin\3nua.exeC:\Users\Admin\3nua.exe startC:\Users\Admin\AppData\Roaming\9D2AC\AA988.exe%C:\Users\Admin\AppData\Roaming\9D2AC3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:664
-
-
C:\Program Files (x86)\LP\88B9\8537.tmp"C:\Program Files (x86)\LP\88B9\8537.tmp"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2524
-
-
C:\Users\Admin\3nua.exeC:\Users\Admin\3nua.exe startC:\Program Files (x86)\AC91E\lvvm.exe%C:\Program Files (x86)\AC91E3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1152
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_0f3f2efc061b947417b5091581387037.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1204 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1700
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4941⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300B
MD54f52db45bb822a084a42e607bee61727
SHA176f3a423191d0858491e2b831d67dca10f0dedc8
SHA256eedb718fc65b26a1d1be776d85c871ed4d9af44bc665478587dc2f9c61a61321
SHA512b3738308cf5d6c35c0628c5af30fc130316653234c03cea09034d5c32bd9a7cabf06b732d0f9e613cd1b30c956e1ee15476aab523514b92c73d9a8815498374c
-
Filesize
600B
MD52cae1ba16a59d2c0fcba70647a5f8c49
SHA159cf2736122f58af8ebfc962dacd03999bbfe50d
SHA256977e9765658930392d0846d18b759726d4bcbe75210ef213ff4a6ae658fbadf7
SHA512a7f935084921bd5754134474cb378596692528143b9f11e1ae70ec5f5b5887f0a6f5ca7941e66e0c88f93aa6164a238f1ccc5128d258aad3d0a645837c6c3360
-
Filesize
897B
MD5c03ce0dad5bf40e1d44376ae1942f70f
SHA13316544ba14211a66036d2365ff145a50b286cf7
SHA256b906b825a842287e2abb9f7bcbc7f49cab8eb8418e92ab6a458e0ecf0338bb52
SHA512405cdebcb4e6004597bf2ad27963464e7efdb7dd77b33eda74e1a77b95230736f8a84d0716f61065c82f87eb6620ff39d2afa02ebeb024548a89936a9861af09
-
Filesize
1KB
MD5e696048017a756b5376846099cd362b8
SHA1a9021227b034459f9fc204087ed2d8eda443c245
SHA256af8bd37e5f5eaee3b2ba5e96dcb0f7e01e5fdaa005ad6952d7e01c93f6a756f5
SHA5129f30fd8449d121763be32ad7d580b242d88bb2307aa830485bda48dacc2933c5d673fbda2ed394e5a8149d06dd8125cb2626db2a4afd30c4a7689ce9720b7478
-
Filesize
97KB
MD529c0a1942c5efa556fcf06cdb27e6b43
SHA11f4897b7091c159f7402237f093dd66419ef801b
SHA2564f5a26e02022c8e480e3bba16fdbe3c9e19f95ccfded922fdb911403ef1ae0c4
SHA51254389f2ec50d6447f89b15268f4daa3b9a6a0f7c0609648754eaeb6bd6e159c800f1f29f759bd56f42ab6249b246a95081d1e0e9fdd43e56ff2104a7ce458168
-
Filesize
224KB
MD5b64185be04a7c3882871c07358450544
SHA16dd00c5f29490e210639ac155e732f7c33e746af
SHA256c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21
-
Filesize
273KB
MD50fcecac14065f03c4f83bf5ae6ac415b
SHA1f71aa4708e16a2a3bf15e2a99cc0ce609b08769b
SHA25679f4527215b4a213f69cf618440202131afa6eb61d2bc6046b718dd4b4ddb787
SHA51249195c9f00c434228dd76151042dc03f7f87b77438734861face0f4ec40391649ed784aaf82b756113a55d55126c9b18c27e44d0c47ca75564ea079eed161003
-
Filesize
208KB
MD5380575fdf47f22e24cc214c89f098f9d
SHA15d5584fab3dc5267ffacfd4c331555f4f7703fb6
SHA25604fc572ba5e2e941d3510ed1504cc04490c7f5ff3ec651e6c8ffd6645ef2e0c9
SHA51270ce73ac9a14224c608e1ab60e21dd8bbd5ebcc8c75bb670c0861c8fc4a478965d39a450d32907ff90baa3a8a2fc9e50a9cc8d7385a330b373d3c9854cc8e7e2
-
Filesize
208KB
MD594d4412154fc28de4202aa9824348c2b
SHA114a016ddc5096702f9e55a6d4b65e71b8d903073
SHA25621c3dad4a1b0e37c207ec62cf49203dd20ab6128d6ae2c9cdbe653f7be622af7
SHA51267ccea5a0445a19f9e52ef7ddf716b554bc4ecfc44256aebb0e00cc752a0e614c29571fa4b02ad8ea5acf65c9a5235e478df98c7dcbc4658932b321ba0ad5fb9