Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 22:52
Static task
static1
General
-
Target
e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe
-
Size
672KB
-
MD5
e89d42e8739f1d730eadced6f6a5f428
-
SHA1
b4975a178d419b2b47d4a9b5130ea3e0b9d991f4
-
SHA256
043826693f7236e5353ed0f60818002fbf8122af64cb48e030fc6ce2071a48d2
-
SHA512
e6b14bd8cc8d2735ff3f38c532341205b46e54910ec2ae5afcb2526ec79ef71fa43b50ed6d76a37b374b45e249582277775b00b60398f93cb7b0a0e828f4275b
-
SSDEEP
12288:kCCGxTSAe2mjiVg69cvigIUeNyz9bkaF/j3yAfh3xU+LQcPWswdc:kClx20gKgIUY8eXJcrwy
Malware Config
Signatures
-
Expiro payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3316-128-0x00007FF669C50000-0x00007FF669DD0000-memory.dmp family_expiro1 behavioral1/memory/4460-144-0x00007FF6FE2E0000-0x00007FF6FE417000-memory.dmp family_expiro1 -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 6 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exeTrustedInstaller.exepid process 4460 alg.exe 1016 DiagnosticsHub.StandardCollector.Service.exe 4132 fxssvc.exe 2688 elevation_service.exe 3884 elevation_service.exe 2904 TrustedInstaller.exe -
Processes:
alg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-566096764-1992588923-1249862864-1000\EnableNotifications = "0" alg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-566096764-1992588923-1249862864-1000 alg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
alg.exee89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exedescription ioc process File opened (read-only) \??\X: alg.exe File opened (read-only) \??\N: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\P: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\Q: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\Y: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\K: alg.exe File opened (read-only) \??\V: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\W: alg.exe File opened (read-only) \??\I: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\S: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\I: alg.exe File opened (read-only) \??\H: alg.exe File opened (read-only) \??\Q: alg.exe File opened (read-only) \??\K: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\E: alg.exe File opened (read-only) \??\L: alg.exe File opened (read-only) \??\N: alg.exe File opened (read-only) \??\E: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\H: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\L: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\M: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\U: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\J: alg.exe File opened (read-only) \??\W: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\R: alg.exe File opened (read-only) \??\S: alg.exe File opened (read-only) \??\G: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\O: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\X: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\Z: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\G: alg.exe File opened (read-only) \??\P: alg.exe File opened (read-only) \??\V: alg.exe File opened (read-only) \??\M: alg.exe File opened (read-only) \??\T: alg.exe File opened (read-only) \??\U: alg.exe File opened (read-only) \??\Y: alg.exe File opened (read-only) \??\Z: alg.exe File opened (read-only) \??\J: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\R: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\T: e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened (read-only) \??\O: alg.exe -
Drops file in System32 directory 64 IoCs
Processes:
alg.exee89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exedescription ioc process File opened for modification \??\c:\windows\system32\Agentservice.exe alg.exe File created \??\c:\windows\system32\perceptionsimulation\pojhkemi.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\vssvc.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\svchost.exe alg.exe File opened for modification \??\c:\windows\system32\msdtc.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created \??\c:\windows\system32\imaeboap.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\vds.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created \??\c:\windows\system32\jgjpdggg.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\Appvclient.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\spectrum.exe alg.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\vds.exe alg.exe File opened for modification \??\c:\windows\system32\spectrum.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created \??\c:\windows\system32\efhmpjok.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\fxssvc.exe alg.exe File created \??\c:\windows\system32\kngknkej.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created \??\c:\windows\system32\gdfdlmcf.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\Agentservice.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created \??\c:\windows\system32\mlkihndn.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created \??\c:\windows\system32\hbkanhje.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\msiexec.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe alg.exe File created \??\c:\windows\system32\ninebccc.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\dllhost.exe alg.exe File opened for modification \??\c:\windows\system32\msiexec.exe alg.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe alg.exe File created \??\c:\windows\system32\openssh\kmmghebk.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created \??\c:\windows\syswow64\hnhlkege.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created \??\c:\windows\system32\wbem\lfopiidd.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\kkhkbpib.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created \??\c:\windows\system32\diagsvcs\cpoebmkc.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\snmptrap.exe alg.exe File created \??\c:\windows\system32\aibnbgoh.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\Appvclient.exe alg.exe File opened for modification \??\c:\windows\system32\wbengine.exe alg.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\hjhfpnge.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created \??\c:\windows\system32\kjaijale.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\lsass.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe alg.exe File opened for modification \??\c:\windows\system32\vssvc.exe alg.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe alg.exe File opened for modification \??\c:\windows\system32\locator.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created \??\c:\windows\system32\fjnmincp.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\wbengine.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\msdtc.exe alg.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe alg.exe File created \??\c:\windows\system32\cabbcjne.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe alg.exe File created \??\c:\windows\system32\gqkmfmhi.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created \??\c:\windows\system32\habphocb.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\snmptrap.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created \??\c:\windows\system32\odbidhbe.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\svchost.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\lsass.exe alg.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe alg.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created \??\c:\windows\system32\jkkpiegl.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
Processes:
e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exealg.exedescription ioc process File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\miqfjfol.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\giblbqag.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\kjkookie.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\dotnet.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Internet Explorer\dendjgfp.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\onbaidqf.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created \??\c:\program files (x86)\mozilla maintenance service\kehmpmoj.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Internet Explorer\elidehmc.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\dakeokhg.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created \??\c:\program files\windows media player\fblqmnnj.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\kihlpche.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\lhbjhkab.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\pijgofaf.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\iilmmhmc.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\dddilmae.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\dotnet\ddnfppgh.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\obkakffi.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\7-Zip\gkooamha.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\pppjqpbi.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\7-Zip\lncjookl.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\7-Zip\jgpijieg.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe -
Drops file in Windows directory 7 IoCs
Processes:
e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exealg.exeTrustedInstaller.exedescription ioc process File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe alg.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe alg.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created \??\c:\windows\servicing\fonbiibp.tmp e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe File created C:\Windows\Logs\CBS\CBS.log TrustedInstaller.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TrustedInstaller.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
fxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
alg.exepid process 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe 4460 alg.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 636 636 -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exefxssvc.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 3316 e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe Token: SeAuditPrivilege 4132 fxssvc.exe Token: SeTakeOwnershipPrivilege 4460 alg.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
alg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" alg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3316
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4460
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1016
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2576
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4132
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2688
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3884
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD54848e631d64d6b7221b0ad943a0d7d43
SHA165e4fcd3faf271bbe79e772c96cdfadeb566a460
SHA256277ddaa7b3553ab2679d7062004c71369aa869c8805ec974b5edcc7db7b309c5
SHA512cf8db368e9ed48a397d07097fa5812867fe74a44bee779706e597a44cc48b7776a277a17b7beb028b06d17888e4388c89a3994f4cde8377fec392088cd369aa3
-
Filesize
940KB
MD5ce81ca056996a29ad8febbd594b7f7b5
SHA12cbf1a17fa9c2de2df2d1d30ef27fb913d61890f
SHA2567bf308b3ca2e95780c57cd639d00a1eb608d2697b0b3c2e016270f39821b6b2f
SHA512ddb79f4b70dc61415e63d39a754dc45d8a0cfa02a3a9085177d57c5d2f0349d5f95a614b29d8ea6d1b22e5537550336f6b05b7fc2d3de777c1d9eea732fe0de6
-
Filesize
1.3MB
MD5dde10ba2de20fdb3e91603b19c543191
SHA158323cb4a50a3a1168c95c05f9b775bdec6d14ee
SHA2564561ceafc9e2f3bd8aead97974e5784191206bf31306e00ff8b40c7755af7cb1
SHA5129ffdb76713996b9839b0cbfb0944a45f282ff90d205862909fa8579887171de5048654746036e4d021c528a2c2ef02ce4b8fd87215401578ae1996715be24524
-
Filesize
1.1MB
MD5ae7e5bb4d2853ee1878708d2a5084b43
SHA173cc8239a15c51dfc1bea0d8e58c1b0dd9906a87
SHA256a463f6b1f9a48634361bb5ed7ed93e3eece3baed3c2e3294020c3de124ffeb9b
SHA5122d9e419be329f919d2aea33b205a3071397682a62d2881cdcd7d902ea5a5ff58cd9bf8ab2a23bd0e2af25a45a77475315c277ae3fa8c920d2c00f27e09c85bde
-
Filesize
410KB
MD5b1da4c5c5a8f7bdda5336a6ad5fd5324
SHA1d435a534f2fc6f014d7b6ec7dad250bb703e60c0
SHA256afc3211139431020cf10c67995952de4f7d53ce138faa8f8a7c68b754255ddac
SHA512e5658fea190541db0a20907ed711064984a38323d2682c11a47c1abc8afbca8f0cab556bb17c328538fcb1672da8f33e35a401cde9ee7f9fa18c0139f437efd8
-
Filesize
672KB
MD5e50db9ec1cbb2cf54a661383df11b0aa
SHA14f8e1aae350ab7264bc81c4d38bf068ee0593c5c
SHA25617384052938d5e762099e675f99618eb58e17882b3d02aa75b01a30f1b2e8f4f
SHA512dbb8f35e7b9cf674a50e93ced1e339d54dfc9aa7f62f1dca179dde5436a5497cad887c59766c4b40cb1650e4b3c11e1f15192302db3d74518a32f49988b6e06c
-
Filesize
4.5MB
MD59913f304a129a450ed75c30385844ce3
SHA157c6c42b70398d01107332cd5673b73982157644
SHA256ea292f183c05d765ce9f69b415102041967852d4e7d8988414cc75788334ab14
SHA51238b85f65dd4bf8c40b26a0625512b7a397511bfbd344ff73826399a5066ada714b05b14780ffcdea82d44fd1c8270f52cd4729da083eba524f8553834f5ad53d
-
Filesize
742KB
MD5f886c74390adb0e6bf0506d0ae79681a
SHA14382379398fc2f4b17be7bcec5b3fe2681cbc2d4
SHA256a5a5fad1dbd53bd456e8695ae8fe9269c0cfdd71b1bb7435704a21910cca9b71
SHA5126058612ba83c9905df5d53ca9bbb149d969dd607755434a86634c2a1dc64645da39fdae82f302d83f02f1cc914d97ed5c4f02e11c4389da4d9ae43acf18a7033
-
Filesize
23.8MB
MD52cd53ed01e9ab7024c4df5c8a6e3dae3
SHA1015528ea57d4632c1a72ca691aa7502abbe7837a
SHA25653ac22cf76f2a23caaad05e2f910f6462891e45f7f5537682c97c6013551f052
SHA5121ec87c1d96efa3f58bba7e18e6cfd31a75dbabd89294fbc5abce82b0d491a4158916eabb2ebd45253f3c14ee487bddb55130fcf3c6795d9824750f762e3257f1
-
Filesize
2.5MB
MD55a4cea8f93c69adfc66a30d37c22a9bb
SHA1a93915c469b82bf3cda6bda76dfb23cc7d4391e4
SHA2561f9720ad6ddf475c20bb30030ba1eeff9efb2b18b1a66c1dd145fa3f412e21f0
SHA5124adcfb88db97378301414c30b77fc4ef36ae49d9af5532a6a14adc39a82fc4d83374e263d71f95fdfab6f9153028bb07ae8378a7e7b443731e8be5efb75170dd
-
Filesize
637KB
MD57526a04e010960447b3b1c72797a27c3
SHA12d3963e93d012123b7f509088a583cd37c420d9b
SHA2565d1563567190d7832a005a85d7a32b4cd6059cd3e0bf20b1a93932d2e20c7dc4
SHA5127d80f8318c720320583b785f173d4b0f785163635b58e9db41a9ce97da9699488c0e78816702f0c63f91129e165c11bc95b48e2e6c5fa9db270441e7ca89b37e
-
Filesize
2.0MB
MD5847c628a6e6248357aa09f49f44fc89d
SHA13e75da29d7f0c99a1b47b6909b7995b038b444e7
SHA256d0d856e57da27af4728b28989b106e030af89b626566a5a0a349e6addb4aa6aa
SHA5125d388a2fcbfc2e37dc8dbcaf23ab665a2179729f259c5c4b4a0b409ca09043c668eac79c5483766052ed5c0c7f61490ebef803e29ac01412e65385e631d09927
-
Filesize
682KB
MD58e73f8c5914fb90b6358c55da605bb0b
SHA1485f66375097870b4a077747a1626730e458d084
SHA2562f996b67134970af84424c5d5232c7ac5c6f6bbffcb193cb74c54028d9098937
SHA512f9a368adb0234275b01c6606d87089e80c423c0f6d0638271ed6fbaca1f476e21d1e922675f6b76f6f69ddf563c39cb421b14464109745aa899ed1ac09731a5b
-
Filesize
491KB
MD54ff0ec1515b2a7483c4ddd9cd2d3475d
SHA16b775c6dd8bf2ab515f12826cbd2e747883e1cce
SHA256af2d3f0f16931b7869e318ad28a8d52e2c1272fdff979cd4722c8049a2d159a7
SHA512f4aedd2d0f6010e68f6e77e76f9296de708f619c87d44e79ca80e1db13f733639fb7b2d183d901328f22982cc16fadca490766a3617c75f81c839666d3b90f66
-
Filesize
1.0MB
MD58128096927e000880feb8d0def15d90f
SHA183ea888843047b054249d598dedd5f55806757fa
SHA2563fb8ebd3177f0c93cd2ec9d2c3220245624398cb3cf1e0f1c7db552e24b503f9
SHA5123c37ccb7c093aacb3f2b03a9c10b841f936be4b6486a69ceb16bbd6a3ba5ee0c033a534ac4477ca8c4f454c3487e4aa6d5e7ccb574d9317f46c38db28b6ea304
-
Filesize
493KB
MD5c654a86aa42cc938576e84e24dd4a7c1
SHA1bffc2b75df7e6a4cc46a97b73f59f6a30c0b83ec
SHA256f77cea6b151d07b7585330841e839bf295723f2a92bc08edd7d7999e7672b872
SHA512b5c1a21de9b9e01869e9a6538b3a003342689e7d14d0ac339bc7db731c731b0c74137473811cdc5654c0c0c8a15cbb93b2d57371e1788d432e6de009f9a0f937
-
Filesize
193KB
MD5805418acd5280e97074bdadca4d95195
SHA1a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6
SHA25673684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01
SHA512630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de
-
Filesize
5.4MB
MD55666979c0474db4d7c717c2475e6fc18
SHA1d3f416c0cffddd90967b3070933880608fddb32f
SHA256f37bdebbd172f32a68fac8e35ad8568ef89efbabde2b1134fe96147aa50cbe23
SHA512e1fe810383d77f158e222206de26671412cbc4017e21cf6f1a71381c3edb8578a9cf339b65b640a67b6544697fa88da3c21f5c40299ce1d49effb6e07435a0b5
-
Filesize
1.1MB
MD5640c7911c6f6cd3db36df95a799df47e
SHA13a05c75f1fcb9fe7cf601acfafbad8ef06046589
SHA2569886e3944f7b7023089359a57c5017f285100c651732ec96a07e2367a903846a
SHA5129dc464b46422df66caa0b1ffee7f9c147ccabcf97b02c1bdab3551671a0dc93518cc6caf6ea91ba46217856bc1224172dc0db22443b1807a5d90e644e0893240