Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 18:15
Static task
static1
Behavioral task
behavioral1
Sample
e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
-
Size
468KB
-
MD5
e58e1a94f496400a4dedbefcaf340b2b
-
SHA1
ecea838bb847137c29705c0b546704ff486a4f46
-
SHA256
5471a63ff1fcd035164628b783495591d3836c3153f2e1730929ed18b550f5d7
-
SHA512
b7b60fabd12f902f8cd2f481994f23c4fb61fec28700ccf98bb376345b184a1fecb52334fe1e64b3873580409f57065f6c51b989f31803fe38745b130904b7b6
-
SSDEEP
12288:A06ld0/XOW0WVb3uPjl5XthpFN2BNp/OqAo1/S:A0U0P4yDyf9PT2BN0qAS/S
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xuXKCQEP.exe -
Executes dropped EXE 7 IoCs
pid Process 1116 xuXKCQEP.exe 1276 toast.exe 2324 toast.exe 784 voast.exe 1628 voast.exe 2460 woast.exe 336 csrss.exe -
Loads dropped DLL 8 IoCs
pid Process 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 50 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /j" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /y" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /o" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /F" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /N" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /H" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /s" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /B" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /e" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /i" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /g" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /S" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /h" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /C" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /w" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /q" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /M" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /X" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /O" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /l" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /c" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /f" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /u" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /t" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /L" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /A" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /G" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /R" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /x" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /n" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /U" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /P" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /v" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /K" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /V" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /J" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /a" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /d" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /m" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /z" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /Q" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /Z" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /I" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /Y" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /p" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /W" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /T" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /k" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /r" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /E" xuXKCQEP.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2336 set thread context of 1036 2336 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 30 PID 1276 set thread context of 2324 1276 toast.exe 33 PID 784 set thread context of 1628 784 voast.exe 35 PID 1628 set thread context of 696 1628 voast.exe 36 -
Modifies registry class 3 IoCs
description ioc Process Key created \registry\machine\Software\Classes\Interface\{dfd5ee24-b847-1606-39c8-75afaa2de160} explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{dfd5ee24-b847-1606-39c8-75afaa2de160}\u = "30348" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{dfd5ee24-b847-1606-39c8-75afaa2de160}\cid = "6299408784960480463" explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1116 xuXKCQEP.exe 1116 xuXKCQEP.exe 1116 xuXKCQEP.exe 2324 toast.exe 1116 xuXKCQEP.exe 1116 xuXKCQEP.exe 1116 xuXKCQEP.exe 1116 xuXKCQEP.exe 1116 xuXKCQEP.exe 2324 toast.exe 1116 xuXKCQEP.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 1116 xuXKCQEP.exe 1116 xuXKCQEP.exe 2324 toast.exe 1116 xuXKCQEP.exe 2324 toast.exe 2324 toast.exe 1116 xuXKCQEP.exe 1116 xuXKCQEP.exe 1116 xuXKCQEP.exe 2324 toast.exe 1116 xuXKCQEP.exe 2324 toast.exe 1116 xuXKCQEP.exe 2324 toast.exe 1116 xuXKCQEP.exe 1116 xuXKCQEP.exe 2324 toast.exe 1116 xuXKCQEP.exe 2324 toast.exe 2324 toast.exe 1116 xuXKCQEP.exe 2324 toast.exe 2324 toast.exe 1116 xuXKCQEP.exe 1116 xuXKCQEP.exe 2324 toast.exe 2324 toast.exe 1116 xuXKCQEP.exe 2324 toast.exe 1116 xuXKCQEP.exe 1116 xuXKCQEP.exe 2324 toast.exe 2324 toast.exe 2324 toast.exe 1116 xuXKCQEP.exe 2324 toast.exe 1116 xuXKCQEP.exe 2324 toast.exe 1116 xuXKCQEP.exe 1116 xuXKCQEP.exe 2324 toast.exe 2324 toast.exe 2324 toast.exe 1116 xuXKCQEP.exe 2324 toast.exe 2324 toast.exe 1116 xuXKCQEP.exe 2324 toast.exe 1116 xuXKCQEP.exe 1116 xuXKCQEP.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 696 explorer.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 1116 xuXKCQEP.exe 2460 woast.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 336 csrss.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 2336 wrote to memory of 1036 2336 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 30 PID 2336 wrote to memory of 1036 2336 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 30 PID 2336 wrote to memory of 1036 2336 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 30 PID 2336 wrote to memory of 1036 2336 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 30 PID 2336 wrote to memory of 1036 2336 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 30 PID 2336 wrote to memory of 1036 2336 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 30 PID 2336 wrote to memory of 1036 2336 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 30 PID 2336 wrote to memory of 1036 2336 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 30 PID 2336 wrote to memory of 1036 2336 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 30 PID 1036 wrote to memory of 1116 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 31 PID 1036 wrote to memory of 1116 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 31 PID 1036 wrote to memory of 1116 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 31 PID 1036 wrote to memory of 1116 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 31 PID 1036 wrote to memory of 1276 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 32 PID 1036 wrote to memory of 1276 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 32 PID 1036 wrote to memory of 1276 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 32 PID 1036 wrote to memory of 1276 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 32 PID 1276 wrote to memory of 2324 1276 toast.exe 33 PID 1276 wrote to memory of 2324 1276 toast.exe 33 PID 1276 wrote to memory of 2324 1276 toast.exe 33 PID 1276 wrote to memory of 2324 1276 toast.exe 33 PID 1276 wrote to memory of 2324 1276 toast.exe 33 PID 1276 wrote to memory of 2324 1276 toast.exe 33 PID 1276 wrote to memory of 2324 1276 toast.exe 33 PID 1276 wrote to memory of 2324 1276 toast.exe 33 PID 1276 wrote to memory of 2324 1276 toast.exe 33 PID 1276 wrote to memory of 2324 1276 toast.exe 33 PID 1276 wrote to memory of 2324 1276 toast.exe 33 PID 1036 wrote to memory of 784 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 34 PID 1036 wrote to memory of 784 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 34 PID 1036 wrote to memory of 784 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 34 PID 1036 wrote to memory of 784 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 34 PID 784 wrote to memory of 1628 784 voast.exe 35 PID 784 wrote to memory of 1628 784 voast.exe 35 PID 784 wrote to memory of 1628 784 voast.exe 35 PID 784 wrote to memory of 1628 784 voast.exe 35 PID 784 wrote to memory of 1628 784 voast.exe 35 PID 784 wrote to memory of 1628 784 voast.exe 35 PID 784 wrote to memory of 1628 784 voast.exe 35 PID 784 wrote to memory of 1628 784 voast.exe 35 PID 784 wrote to memory of 1628 784 voast.exe 35 PID 784 wrote to memory of 1628 784 voast.exe 35 PID 784 wrote to memory of 1628 784 voast.exe 35 PID 1628 wrote to memory of 696 1628 voast.exe 36 PID 1628 wrote to memory of 696 1628 voast.exe 36 PID 1628 wrote to memory of 696 1628 voast.exe 36 PID 1628 wrote to memory of 696 1628 voast.exe 36 PID 1628 wrote to memory of 696 1628 voast.exe 36 PID 1036 wrote to memory of 2460 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 37 PID 1036 wrote to memory of 2460 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 37 PID 1036 wrote to memory of 2460 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 37 PID 1036 wrote to memory of 2460 1036 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 37 PID 696 wrote to memory of 336 696 explorer.exe 2
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
PID:336
-
C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exee58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Users\Admin\xuXKCQEP.exeC:\Users\Admin\xuXKCQEP.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1116
-
-
C:\Users\Admin\toast.exeC:\Users\Admin\toast.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\toast.exetoast.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2324
-
-
-
C:\Users\Admin\voast.exeC:\Users\Admin\voast.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Users\Admin\voast.exevoast.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\explorer.exe0000003C*5⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:696
-
-
-
-
C:\Users\Admin\woast.exeC:\Users\Admin\woast.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2460
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD51812577ddfa736694a8dbad896d329d7
SHA1a6831421aa2c04b93078df35d4bd2eed62985060
SHA256c9173337e91ef6a59658dd60f713517eddd8cb43196dcc970266cbc12c33d5df
SHA512d470c44c8e969b182dae8b2451075b525a9f1fc349737db19966581cb76289b1cac00cf6b7920c53959aaaedabd47385acc6b74dce2cc8f6a54a5ed882901d34
-
Filesize
152KB
MD5b6d3a09df822fcf55b889b57c5ad799e
SHA1dc44a91e89534819dcb18d18a42e2c0d3d3b649f
SHA25683f8d74aa948dc8569f2f44174eb4da6e3bf0d6ef9293c8a92d882c2fda0e07c
SHA512a7330d31a38361f41ae8385ff0541455fd098e874a29b0e8de3c92800fbe4ad2aa8a7a0374482d0e8a8db3363ca2e86c60216b9406eb306fe061bfde8086ebf1
-
Filesize
242KB
MD5dc6332b873df679e69e099579c8bc22d
SHA10341ad78eff722fae4142aa1da9e4be0116569f9
SHA2568c95e0048da1c72815701a5bb8000023b96433ad05e63e568ee28246c153ab04
SHA512a6d9966765ede960b5f3929a61337d5582e40fae12cf5176dad9ec1ab608f4d73481ab1cc0ba168e162039fd3aabd75ceb16966b38999d9f71af2a5354fb7376
-
Filesize
24KB
MD5f29656c436f7a25b63fe325b01a86a95
SHA1148fe98b4901aaf454118c89ec71f4d36bed05bc
SHA2561cc6a49d67f8f63801d0ffa3722f96405995e9f30958e5a368589591583932de
SHA512d4eae9c9e02a1887ca30cd1750e73ade9d071594017e6d0d1cead2eff9c418b327752525fac130356d2454325e58ae54e24dd246784f15481ba2c01db7d097e7
-
Filesize
156KB
MD535362b609d4c80aa54977dd3c34f71a1
SHA10f561d1d9aa9543d1e9f759b90f6ff6f8b18dd89
SHA2565c3e9c19f2015acdfda9921a68d6822348d4f82b6b1d12d248264d1361d72ca9
SHA512e96bc0bb4cea72ad7fa55af13a48e4d16c43b66238e663247db93a977d7f926241cae8a3672334cbe10ada0934401472e483d4067ace1358409068984949e9cb