Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23/01/2025, 07:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe
Resource
win7-20240903-en
windows7-x64
34 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe
-
Size
608KB
-
MD5
15040e3948d3698515f8aeb59ec41ebd
-
SHA1
3e106304a9ed54ec20af8addcda0ca6b4ed258ce
-
SHA256
4499816b1494243ba7d05c7332d7eaabc2942af222ae3bd44a1fe62cfd94e66c
-
SHA512
4ad460baba45b8c15b455e0b2a204ebd803f5d30c1cfdb655061a60f04967cc26748f22e2f6eeed7749c37c3ef96e92ae0b400c596d99f9647cd9e068a76f95c
-
SSDEEP
12288:mBYDZJr1E+3JcdrXxE3Vq4Vcim38bJ6vKDn5gcPUbjC:mqF6+ydroLrJ6vKVgkUb
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 4 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2876-129-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1580-131-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2876-256-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1100-258-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 3nua.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" aUY5E15SY8.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yayiw.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 1768 cmd.exe -
Executes dropped EXE 12 IoCs
pid Process 1800 aUY5E15SY8.exe 2840 yayiw.exe 1848 2nua.exe 2808 2nua.exe 2284 2nua.exe 2572 2nua.exe 2420 2nua.exe 1404 2nua.exe 2876 3nua.exe 1580 3nua.exe 1100 3nua.exe 1088 6FE3.tmp -
Loads dropped DLL 15 IoCs
pid Process 2096 JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe 2096 JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe 1800 aUY5E15SY8.exe 1800 aUY5E15SY8.exe 2096 JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe 2096 JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe 1848 2nua.exe 1848 2nua.exe 1848 2nua.exe 1848 2nua.exe 1848 2nua.exe 2096 JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe 2096 JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe 2876 3nua.exe 2876 3nua.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /w" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /Y" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /K" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /Q" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /v" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /g" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /e" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /f" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /C" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /L" aUY5E15SY8.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /r" yayiw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\747.exe = "C:\\Program Files (x86)\\LP\\7E69\\747.exe" 3nua.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /j" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /H" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /i" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /Z" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /k" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /A" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /X" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /G" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /S" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /L" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /l" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /V" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /T" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /N" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /n" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /B" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /m" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /D" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /E" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /M" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /s" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /I" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /t" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /h" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /J" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /F" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /c" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /P" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /b" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /z" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /p" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /y" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /a" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /d" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /q" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /O" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /W" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /x" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /R" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /U" yayiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\yayiw = "C:\\Users\\Admin\\yayiw.exe /o" yayiw.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2nua.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2nua.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2nua.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 624 tasklist.exe 2760 tasklist.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1848 set thread context of 2808 1848 2nua.exe 38 PID 1848 set thread context of 2284 1848 2nua.exe 39 PID 1848 set thread context of 2572 1848 2nua.exe 40 PID 1848 set thread context of 2420 1848 2nua.exe 41 PID 1848 set thread context of 1404 1848 2nua.exe 42 -
resource yara_rule behavioral1/memory/2284-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2284-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2284-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2284-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2284-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2284-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2420-74-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2420-77-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2420-72-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2420-94-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1404-93-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1404-101-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1404-92-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1404-91-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2420-87-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1404-83-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1404-81-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2284-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2420-125-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2876-129-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1580-131-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2876-256-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1100-258-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\LP\7E69\6FE3.tmp 3nua.exe File created C:\Program Files (x86)\LP\7E69\747.exe 3nua.exe File opened for modification C:\Program Files (x86)\LP\7E69\747.exe 3nua.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6FE3.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yayiw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aUY5E15SY8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nua.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1800 aUY5E15SY8.exe 1800 aUY5E15SY8.exe 2284 2nua.exe 2572 2nua.exe 2840 yayiw.exe 2284 2nua.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2876 3nua.exe 2876 3nua.exe 2876 3nua.exe 2876 3nua.exe 2876 3nua.exe 2876 3nua.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2876 3nua.exe 2876 3nua.exe 2876 3nua.exe 2876 3nua.exe 2876 3nua.exe 2876 3nua.exe 2876 3nua.exe 2876 3nua.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe 2840 yayiw.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2020 explorer.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2760 tasklist.exe Token: SeRestorePrivilege 2520 msiexec.exe Token: SeTakeOwnershipPrivilege 2520 msiexec.exe Token: SeSecurityPrivilege 2520 msiexec.exe Token: SeDebugPrivilege 624 tasklist.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe -
Suspicious use of SendNotifyMessage 22 IoCs
pid Process 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2096 JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe 1800 aUY5E15SY8.exe 2840 yayiw.exe 1848 2nua.exe 1404 2nua.exe 2420 2nua.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2096 wrote to memory of 1800 2096 JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe 31 PID 2096 wrote to memory of 1800 2096 JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe 31 PID 2096 wrote to memory of 1800 2096 JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe 31 PID 2096 wrote to memory of 1800 2096 JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe 31 PID 1800 wrote to memory of 2840 1800 aUY5E15SY8.exe 32 PID 1800 wrote to memory of 2840 1800 aUY5E15SY8.exe 32 PID 1800 wrote to memory of 2840 1800 aUY5E15SY8.exe 32 PID 1800 wrote to memory of 2840 1800 aUY5E15SY8.exe 32 PID 1800 wrote to memory of 2704 1800 aUY5E15SY8.exe 33 PID 1800 wrote to memory of 2704 1800 aUY5E15SY8.exe 33 PID 1800 wrote to memory of 2704 1800 aUY5E15SY8.exe 33 PID 1800 wrote to memory of 2704 1800 aUY5E15SY8.exe 33 PID 2704 wrote to memory of 2760 2704 cmd.exe 35 PID 2704 wrote to memory of 2760 2704 cmd.exe 35 PID 2704 wrote to memory of 2760 2704 cmd.exe 35 PID 2704 wrote to memory of 2760 2704 cmd.exe 35 PID 2096 wrote to memory of 1848 2096 JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe 37 PID 2096 wrote to memory of 1848 2096 JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe 37 PID 2096 wrote to memory of 1848 2096 JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe 37 PID 2096 wrote to memory of 1848 2096 JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe 37 PID 1848 wrote to memory of 2808 1848 2nua.exe 38 PID 1848 wrote to memory of 2808 1848 2nua.exe 38 PID 1848 wrote to memory of 2808 1848 2nua.exe 38 PID 1848 wrote to memory of 2808 1848 2nua.exe 38 PID 1848 wrote to memory of 2808 1848 2nua.exe 38 PID 1848 wrote to memory of 2284 1848 2nua.exe 39 PID 1848 wrote to memory of 2284 1848 2nua.exe 39 PID 1848 wrote to memory of 2284 1848 2nua.exe 39 PID 1848 wrote to memory of 2284 1848 2nua.exe 39 PID 1848 wrote to memory of 2284 1848 2nua.exe 39 PID 1848 wrote to memory of 2284 1848 2nua.exe 39 PID 1848 wrote to memory of 2284 1848 2nua.exe 39 PID 1848 wrote to memory of 2284 1848 2nua.exe 39 PID 1848 wrote to memory of 2572 1848 2nua.exe 40 PID 1848 wrote to memory of 2572 1848 2nua.exe 40 PID 1848 wrote to memory of 2572 1848 2nua.exe 40 PID 1848 wrote to memory of 2572 1848 2nua.exe 40 PID 1848 wrote to memory of 2572 1848 2nua.exe 40 PID 1848 wrote to memory of 2572 1848 2nua.exe 40 PID 1848 wrote to memory of 2572 1848 2nua.exe 40 PID 1848 wrote to memory of 2572 1848 2nua.exe 40 PID 1848 wrote to memory of 2572 1848 2nua.exe 40 PID 1848 wrote to memory of 2572 1848 2nua.exe 40 PID 1848 wrote to memory of 2420 1848 2nua.exe 41 PID 1848 wrote to memory of 2420 1848 2nua.exe 41 PID 1848 wrote to memory of 2420 1848 2nua.exe 41 PID 1848 wrote to memory of 2420 1848 2nua.exe 41 PID 1848 wrote to memory of 2420 1848 2nua.exe 41 PID 1848 wrote to memory of 2420 1848 2nua.exe 41 PID 1848 wrote to memory of 2420 1848 2nua.exe 41 PID 1848 wrote to memory of 2420 1848 2nua.exe 41 PID 1848 wrote to memory of 1404 1848 2nua.exe 42 PID 1848 wrote to memory of 1404 1848 2nua.exe 42 PID 1848 wrote to memory of 1404 1848 2nua.exe 42 PID 1848 wrote to memory of 1404 1848 2nua.exe 42 PID 1848 wrote to memory of 1404 1848 2nua.exe 42 PID 1848 wrote to memory of 1404 1848 2nua.exe 42 PID 1848 wrote to memory of 1404 1848 2nua.exe 42 PID 1848 wrote to memory of 1404 1848 2nua.exe 42 PID 2096 wrote to memory of 2876 2096 JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe 43 PID 2096 wrote to memory of 2876 2096 JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe 43 PID 2096 wrote to memory of 2876 2096 JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe 43 PID 2096 wrote to memory of 2876 2096 JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe 43 PID 2096 wrote to memory of 1768 2096 JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe 46 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 3nua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 3nua.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\aUY5E15SY8.exeC:\Users\Admin\aUY5E15SY8.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\yayiw.exe"C:\Users\Admin\yayiw.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2840
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del aUY5E15SY8.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
-
-
C:\Users\Admin\2nua.exeC:\Users\Admin\2nua.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\2nua.exe"C:\Users\Admin\2nua.exe"3⤵
- Executes dropped EXE
PID:2808
-
-
C:\Users\Admin\2nua.exe"C:\Users\Admin\2nua.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2284
-
-
C:\Users\Admin\2nua.exe"C:\Users\Admin\2nua.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2572
-
-
C:\Users\Admin\2nua.exe"C:\Users\Admin\2nua.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2420
-
-
C:\Users\Admin\2nua.exe"C:\Users\Admin\2nua.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1404
-
-
-
C:\Users\Admin\3nua.exeC:\Users\Admin\3nua.exe2⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2876 -
C:\Users\Admin\3nua.exeC:\Users\Admin\3nua.exe startC:\Users\Admin\AppData\Roaming\9B7B5\D117E.exe%C:\Users\Admin\AppData\Roaming\9B7B53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1580
-
-
C:\Users\Admin\3nua.exeC:\Users\Admin\3nua.exe startC:\Program Files (x86)\B567A\lvvm.exe%C:\Program Files (x86)\B567A3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1100
-
-
C:\Program Files (x86)\LP\7E69\6FE3.tmp"C:\Program Files (x86)\LP\7E69\6FE3.tmp"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1088
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:624
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2020
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600B
MD511bd5358cf6c6c998bfaaa792407567b
SHA1f549e37e9729e1d07df1fb813b1d9bed0bf33c29
SHA2569cc62287b0390d265fbae381fe3fd384760411862bb8c1ca76a21abbf9940f30
SHA512718bc2a6d41dfaa67d80f770617f4e4cbb5ddf8c47d8317aae7c1de9acecd22798c5f21499858089fc028356c3238a3e8cc504adfdb36ceb219a17204d04a706
-
Filesize
996B
MD549803820971bb4ce76704db4a04058f2
SHA1e4ab0e0b10eb06f58973ab525aaf2d6711ce3f06
SHA25642dc03cf96ebc8df68b6e5b7240b3e0a70a88fedd1d148f08beddb460649adbe
SHA512dadb48af278ef11d6ef4aecdd2cd8e16d59b8a5060108baa1839fe402285d9afa2fe6890d24d9f141f8ca4a82d67f558fe1d59890b532d3875f99b26d2d2aea6
-
Filesize
97KB
MD529c0a1942c5efa556fcf06cdb27e6b43
SHA11f4897b7091c159f7402237f093dd66419ef801b
SHA2564f5a26e02022c8e480e3bba16fdbe3c9e19f95ccfded922fdb911403ef1ae0c4
SHA51254389f2ec50d6447f89b15268f4daa3b9a6a0f7c0609648754eaeb6bd6e159c800f1f29f759bd56f42ab6249b246a95081d1e0e9fdd43e56ff2104a7ce458168
-
Filesize
224KB
MD5b64185be04a7c3882871c07358450544
SHA16dd00c5f29490e210639ac155e732f7c33e746af
SHA256c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21
-
Filesize
273KB
MD50fcecac14065f03c4f83bf5ae6ac415b
SHA1f71aa4708e16a2a3bf15e2a99cc0ce609b08769b
SHA25679f4527215b4a213f69cf618440202131afa6eb61d2bc6046b718dd4b4ddb787
SHA51249195c9f00c434228dd76151042dc03f7f87b77438734861face0f4ec40391649ed784aaf82b756113a55d55126c9b18c27e44d0c47ca75564ea079eed161003
-
Filesize
208KB
MD5380575fdf47f22e24cc214c89f098f9d
SHA15d5584fab3dc5267ffacfd4c331555f4f7703fb6
SHA25604fc572ba5e2e941d3510ed1504cc04490c7f5ff3ec651e6c8ffd6645ef2e0c9
SHA51270ce73ac9a14224c608e1ab60e21dd8bbd5ebcc8c75bb670c0861c8fc4a478965d39a450d32907ff90baa3a8a2fc9e50a9cc8d7385a330b373d3c9854cc8e7e2
-
Filesize
208KB
MD582adad353f37dcfaced2e255b6f4b77c
SHA130f53b93c0c1f52b952ff86b347b5bdca30662ac
SHA25631c136724919f00adf3b32638a2f16917cb8b8f60eff66595b29522859ac2b2f
SHA512f9dd12229f0540aa3387efd92a2db56095fb12c960cc31d2d7896f069187fd9aa93ccd858401f26fb1e26f755497befdf02cc3efdef2c0e8906ada70b0dbeeae