Analysis Overview
SHA256
8b7295497f32c35921dbc82ee00af18fc49941de2e2a13f27e52c14b4e13c3bc
Threat Level: Known bad
The file e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 15:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 15:06
Reported
2024-04-06 15:09
Platform
win7-20240215-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\waitoc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\waitoc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /z" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /K" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /D" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /L" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /A" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /p" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /E" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /s" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /X" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /W" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /R" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /m" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /h" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /H" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /q" | C:\Users\Admin\AppData\Local\Temp\e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /i" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /B" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /a" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /T" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /r" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /I" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /g" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /v" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /d" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /b" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /N" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /w" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /C" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /x" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /V" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /U" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /S" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /c" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /j" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /t" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /Z" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /o" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /Y" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /f" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /l" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /q" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /u" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /e" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /k" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /O" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /J" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /F" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /P" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /G" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /y" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /n" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /Q" | C:\Users\Admin\waitoc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\waitoc = "C:\\Users\\Admin\\waitoc.exe /M" | C:\Users\Admin\waitoc.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\waitoc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1660 wrote to memory of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118.exe | C:\Users\Admin\waitoc.exe |
| PID 1660 wrote to memory of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118.exe | C:\Users\Admin\waitoc.exe |
| PID 1660 wrote to memory of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118.exe | C:\Users\Admin\waitoc.exe |
| PID 1660 wrote to memory of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118.exe | C:\Users\Admin\waitoc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118.exe"
C:\Users\Admin\waitoc.exe
"C:\Users\Admin\waitoc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.player1352.com | udp |
| US | 8.8.8.8:53 | ns1.player1352.net | udp |
| US | 8.8.8.8:53 | ns1.player1352.org | udp |
Files
memory/1660-0-0x0000000000400000-0x0000000000448000-memory.dmp
\Users\Admin\waitoc.exe
| MD5 | d996d8cf3b8a802420d48f72062ad62a |
| SHA1 | 65c0d2de219877aaf017de3ff9ba2902f7ae074e |
| SHA256 | 242128851a83c6c2d9707b39c381e7aa59bcb341fee7918cccbf5131d2f494ca |
| SHA512 | f2d08db73bd218d6f3ef34460abdad80b39a5e20481dded77b500a7158a4e5cbab95fbce31afdbf842d784c9fc4257a8707580306ed1458dafa074a4850573b3 |
memory/1660-9-0x0000000003120000-0x0000000003168000-memory.dmp
memory/1660-15-0x0000000003120000-0x0000000003168000-memory.dmp
memory/1660-19-0x0000000000400000-0x0000000000448000-memory.dmp
memory/1660-20-0x0000000003120000-0x0000000003168000-memory.dmp
memory/2532-21-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 15:06
Reported
2024-04-06 15:09
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
111s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\paifiav.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\paifiav.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /l" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /Q" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /j" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /t" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /J" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /v" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /C" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /r" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /M" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /v" | C:\Users\Admin\AppData\Local\Temp\e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /U" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /X" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /d" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /K" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /z" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /c" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /a" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /Y" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /R" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /D" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /y" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /u" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /L" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /A" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /w" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /k" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /f" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /F" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /p" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /Z" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /E" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /b" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /W" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /s" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /H" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /I" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /q" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /V" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /n" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /m" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /g" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /B" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /N" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /G" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /T" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /x" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /O" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /o" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /i" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /h" | C:\Users\Admin\paifiav.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paifiav = "C:\\Users\\Admin\\paifiav.exe /e" | C:\Users\Admin\paifiav.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\paifiav.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2864 wrote to memory of 5116 | N/A | C:\Users\Admin\AppData\Local\Temp\e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118.exe | C:\Users\Admin\paifiav.exe |
| PID 2864 wrote to memory of 5116 | N/A | C:\Users\Admin\AppData\Local\Temp\e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118.exe | C:\Users\Admin\paifiav.exe |
| PID 2864 wrote to memory of 5116 | N/A | C:\Users\Admin\AppData\Local\Temp\e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118.exe | C:\Users\Admin\paifiav.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2ce922b7a70175ca38cbe50cdbf0a60_JaffaCakes118.exe"
C:\Users\Admin\paifiav.exe
"C:\Users\Admin\paifiav.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns1.player1352.com | udp |
| US | 8.8.8.8:53 | ns1.player1352.net | udp |
| US | 8.8.8.8:53 | ns1.player1352.org | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/2864-0-0x0000000000400000-0x0000000000448000-memory.dmp
C:\Users\Admin\paifiav.exe
| MD5 | 7deb8ffbaa2a1781f812245811584d1a |
| SHA1 | 1cfcbc0cf84d8d120f90c659924dab40ee43f145 |
| SHA256 | 82baece1f3acecc8ab1d0d5804a46ea92953af3d2a7b204152d72a2c05d3eea4 |
| SHA512 | adddb3bfd29d0ffa3cc830342d3c6fdae7590d139918bc7f427fb33f1d5827641f0138bca5d9afaa1de825ae67d42654f021bcb1c259b89ab7038f37f8814aaa |
memory/5116-33-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2864-37-0x0000000000400000-0x0000000000448000-memory.dmp
memory/5116-38-0x0000000000400000-0x0000000000448000-memory.dmp