Analysis
-
max time kernel
92s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 07:17
Static task
static1
Behavioral task
behavioral1
Sample
e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe
-
Size
2.5MB
-
MD5
e6ec699b6839f02fec298d786d95244e
-
SHA1
f1c26f1a8729f075f2f49c849be1d8b817bf1b6c
-
SHA256
d86c9114ecca7a31539278705d7e50f9674a562e1382a6053e735d9d2b30942a
-
SHA512
e579bbaa11529b8bdcb33771ef39e1b1461aa927bf7ce7f24c633aff2b14fe5367e0bdb259354942a7d95f82f34960f110a1bfad1db55b819de486f1a6d4971c
-
SSDEEP
1536:Hn/Ay6PcOtb0LO6kWkVc/HfvfNdmNzyrhe:Hn/A7
Malware Config
Extracted
C:\Program Files\7-Zip\readme-warning.txt
makop
honestandhope@qq.com
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Processes:
e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Processes:
e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe = "0" e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Nirsoft 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\2bb7a623-b619-4a44-9f03-14b53dbadc2e\AdvancedRun.exe Nirsoft -
Renames multiple (6457) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exepid process 1052 wbadmin.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exeAdvancedRun.exee6ec699b6839f02fec298d786d95244e_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation AdvancedRun.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exepid process 1952 AdvancedRun.exe 2180 AdvancedRun.exe 4944 AdvancedRun.exe -
Processes:
e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe = "0" e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exedescription ioc process File opened (read-only) \??\F: e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs
Processes:
e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exee6ec699b6839f02fec298d786d95244e_JaffaCakes118.exepid process 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exee6ec699b6839f02fec298d786d95244e_JaffaCakes118.exedescription pid process target process PID 3844 set thread context of 1792 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe PID 3952 set thread context of 2824 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
Processes:
e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exedescription ioc process File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\readme-warning.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxSignature.p7x e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\FacebookProfilePictureControl.xbf e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.e35cc441.pri e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XML e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\ShowResolve.vbe e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WatchDeny.docm e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\resources.pri e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-100_contrast-black.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msmdsrv.rll e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-100_contrast-white.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-default_32.svg e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\plugin.js e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\javaws.jar e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-256_altform-unplated_contrast-black.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-150.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-100.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-125.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7cm_es.dub e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\readme-warning.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\readme-warning.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\readme-warning.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\ContainExactly.Tests.ps1 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\readme-warning.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_f_col.hxk e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-400.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-unplated_contrast-black_devicefamily-colorfulunplated.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\PlayStore_icon.svg e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\readme-warning.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Mocking.help.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\file_info2x.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\ContainExactly.ps1 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\LEVEL.ELM e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookSmallTile.scale-400.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-64_altform-unplated_contrast-white.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_TicketedEvent_Light.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MedTile.scale-125.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreMedTile.scale-100.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-64_contrast-white.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageMedTile.scale-200_contrast-black.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kn-IN\View3d\3DViewerProductDescription-universal.xml e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\readme-warning.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\readme-warning.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\classes.jsa.[22D0FE02].[honestandhope@qq.com].makop e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ppd.xrm-ms e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-40_altform-unplated.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-64_contrast-white.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\readme-warning.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-pl.xrm-ms e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Rotate.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\readme-warning.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe -
Launches sc.exe 17 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1424 sc.exe 644 sc.exe 4928 sc.exe 4440 sc.exe 2716 sc.exe 2148 sc.exe 2740 sc.exe 3156 sc.exe 4148 sc.exe 4524 sc.exe 3688 sc.exe 1364 sc.exe 960 sc.exe 3468 sc.exe 1672 sc.exe 4696 sc.exe 4428 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2408 3844 WerFault.exe e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 4400 3952 WerFault.exe e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 1972 timeout.exe 1012 timeout.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 432 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepowershell.exee6ec699b6839f02fec298d786d95244e_JaffaCakes118.exeAdvancedRun.exee6ec699b6839f02fec298d786d95244e_JaffaCakes118.exepowershell.exee6ec699b6839f02fec298d786d95244e_JaffaCakes118.exepid process 1952 AdvancedRun.exe 1952 AdvancedRun.exe 1952 AdvancedRun.exe 1952 AdvancedRun.exe 2180 AdvancedRun.exe 2180 AdvancedRun.exe 2180 AdvancedRun.exe 2180 AdvancedRun.exe 4452 powershell.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 4452 powershell.exe 4944 AdvancedRun.exe 4944 AdvancedRun.exe 4944 AdvancedRun.exe 4944 AdvancedRun.exe 1792 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 1792 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3592 powershell.exe 3592 powershell.exe 3592 powershell.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 58 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepowershell.exee6ec699b6839f02fec298d786d95244e_JaffaCakes118.exeAdvancedRun.exevssvc.exewbengine.exeWMIC.exepowershell.exee6ec699b6839f02fec298d786d95244e_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 1952 AdvancedRun.exe Token: SeImpersonatePrivilege 1952 AdvancedRun.exe Token: SeDebugPrivilege 2180 AdvancedRun.exe Token: SeImpersonatePrivilege 2180 AdvancedRun.exe Token: SeDebugPrivilege 4452 powershell.exe Token: SeDebugPrivilege 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Token: SeDebugPrivilege 4944 AdvancedRun.exe Token: SeImpersonatePrivilege 4944 AdvancedRun.exe Token: SeBackupPrivilege 3296 vssvc.exe Token: SeRestorePrivilege 3296 vssvc.exe Token: SeAuditPrivilege 3296 vssvc.exe Token: SeBackupPrivilege 2152 wbengine.exe Token: SeRestorePrivilege 2152 wbengine.exe Token: SeSecurityPrivilege 2152 wbengine.exe Token: SeIncreaseQuotaPrivilege 4124 WMIC.exe Token: SeSecurityPrivilege 4124 WMIC.exe Token: SeTakeOwnershipPrivilege 4124 WMIC.exe Token: SeLoadDriverPrivilege 4124 WMIC.exe Token: SeSystemProfilePrivilege 4124 WMIC.exe Token: SeSystemtimePrivilege 4124 WMIC.exe Token: SeProfSingleProcessPrivilege 4124 WMIC.exe Token: SeIncBasePriorityPrivilege 4124 WMIC.exe Token: SeCreatePagefilePrivilege 4124 WMIC.exe Token: SeBackupPrivilege 4124 WMIC.exe Token: SeRestorePrivilege 4124 WMIC.exe Token: SeShutdownPrivilege 4124 WMIC.exe Token: SeDebugPrivilege 4124 WMIC.exe Token: SeSystemEnvironmentPrivilege 4124 WMIC.exe Token: SeRemoteShutdownPrivilege 4124 WMIC.exe Token: SeUndockPrivilege 4124 WMIC.exe Token: SeManageVolumePrivilege 4124 WMIC.exe Token: 33 4124 WMIC.exe Token: 34 4124 WMIC.exe Token: 35 4124 WMIC.exe Token: 36 4124 WMIC.exe Token: SeIncreaseQuotaPrivilege 4124 WMIC.exe Token: SeSecurityPrivilege 4124 WMIC.exe Token: SeTakeOwnershipPrivilege 4124 WMIC.exe Token: SeLoadDriverPrivilege 4124 WMIC.exe Token: SeSystemProfilePrivilege 4124 WMIC.exe Token: SeSystemtimePrivilege 4124 WMIC.exe Token: SeProfSingleProcessPrivilege 4124 WMIC.exe Token: SeIncBasePriorityPrivilege 4124 WMIC.exe Token: SeCreatePagefilePrivilege 4124 WMIC.exe Token: SeBackupPrivilege 4124 WMIC.exe Token: SeRestorePrivilege 4124 WMIC.exe Token: SeShutdownPrivilege 4124 WMIC.exe Token: SeDebugPrivilege 4124 WMIC.exe Token: SeSystemEnvironmentPrivilege 4124 WMIC.exe Token: SeRemoteShutdownPrivilege 4124 WMIC.exe Token: SeUndockPrivilege 4124 WMIC.exe Token: SeManageVolumePrivilege 4124 WMIC.exe Token: 33 4124 WMIC.exe Token: 34 4124 WMIC.exe Token: 35 4124 WMIC.exe Token: 36 4124 WMIC.exe Token: SeDebugPrivilege 3592 powershell.exe Token: SeDebugPrivilege 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exeAdvancedRun.execmd.exee6ec699b6839f02fec298d786d95244e_JaffaCakes118.execmd.exee6ec699b6839f02fec298d786d95244e_JaffaCakes118.execmd.exedescription pid process target process PID 3844 wrote to memory of 1952 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe AdvancedRun.exe PID 3844 wrote to memory of 1952 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe AdvancedRun.exe PID 3844 wrote to memory of 1952 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe AdvancedRun.exe PID 1952 wrote to memory of 2180 1952 AdvancedRun.exe AdvancedRun.exe PID 1952 wrote to memory of 2180 1952 AdvancedRun.exe AdvancedRun.exe PID 1952 wrote to memory of 2180 1952 AdvancedRun.exe AdvancedRun.exe PID 3844 wrote to memory of 4452 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe powershell.exe PID 3844 wrote to memory of 4452 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe powershell.exe PID 3844 wrote to memory of 4452 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe powershell.exe PID 3844 wrote to memory of 336 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe cmd.exe PID 3844 wrote to memory of 336 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe cmd.exe PID 3844 wrote to memory of 336 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe cmd.exe PID 336 wrote to memory of 1972 336 cmd.exe timeout.exe PID 336 wrote to memory of 1972 336 cmd.exe timeout.exe PID 336 wrote to memory of 1972 336 cmd.exe timeout.exe PID 3844 wrote to memory of 4160 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe PID 3844 wrote to memory of 4160 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe PID 3844 wrote to memory of 4160 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe PID 3844 wrote to memory of 1792 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe PID 3844 wrote to memory of 1792 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe PID 3844 wrote to memory of 1792 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe PID 3844 wrote to memory of 1792 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe PID 3844 wrote to memory of 1792 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe PID 3844 wrote to memory of 1792 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe PID 3844 wrote to memory of 1792 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe PID 3844 wrote to memory of 1792 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe PID 3844 wrote to memory of 1792 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe PID 1792 wrote to memory of 468 1792 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe cmd.exe PID 1792 wrote to memory of 468 1792 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe cmd.exe PID 468 wrote to memory of 432 468 cmd.exe vssadmin.exe PID 468 wrote to memory of 432 468 cmd.exe vssadmin.exe PID 3952 wrote to memory of 4944 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe AdvancedRun.exe PID 3952 wrote to memory of 4944 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe AdvancedRun.exe PID 3952 wrote to memory of 4944 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe AdvancedRun.exe PID 3852 wrote to memory of 4524 3852 cmd.exe sc.exe PID 3852 wrote to memory of 4524 3852 cmd.exe sc.exe PID 3852 wrote to memory of 4440 3852 cmd.exe sc.exe PID 3852 wrote to memory of 4440 3852 cmd.exe sc.exe PID 3852 wrote to memory of 3688 3852 cmd.exe sc.exe PID 3852 wrote to memory of 3688 3852 cmd.exe sc.exe PID 468 wrote to memory of 1052 468 cmd.exe wbadmin.exe PID 468 wrote to memory of 1052 468 cmd.exe wbadmin.exe PID 3852 wrote to memory of 2716 3852 cmd.exe sc.exe PID 3852 wrote to memory of 2716 3852 cmd.exe sc.exe PID 3852 wrote to memory of 4696 3852 cmd.exe cmd.exe PID 3852 wrote to memory of 4696 3852 cmd.exe cmd.exe PID 3852 wrote to memory of 3156 3852 cmd.exe sc.exe PID 3852 wrote to memory of 3156 3852 cmd.exe sc.exe PID 3852 wrote to memory of 1424 3852 cmd.exe sc.exe PID 3852 wrote to memory of 1424 3852 cmd.exe sc.exe PID 3852 wrote to memory of 2148 3852 cmd.exe sc.exe PID 3852 wrote to memory of 2148 3852 cmd.exe sc.exe PID 3852 wrote to memory of 4148 3852 cmd.exe sc.exe PID 3852 wrote to memory of 4148 3852 cmd.exe sc.exe PID 3852 wrote to memory of 4428 3852 cmd.exe sc.exe PID 3852 wrote to memory of 4428 3852 cmd.exe sc.exe PID 468 wrote to memory of 4124 468 cmd.exe WMIC.exe PID 468 wrote to memory of 4124 468 cmd.exe WMIC.exe PID 3852 wrote to memory of 1364 3852 cmd.exe sc.exe PID 3852 wrote to memory of 1364 3852 cmd.exe sc.exe PID 3852 wrote to memory of 2740 3852 cmd.exe sc.exe PID 3852 wrote to memory of 2740 3852 cmd.exe sc.exe PID 3852 wrote to memory of 644 3852 cmd.exe sc.exe PID 3852 wrote to memory of 644 3852 cmd.exe sc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2bb7a623-b619-4a44-9f03-14b53dbadc2e\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\2bb7a623-b619-4a44-9f03-14b53dbadc2e\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\2bb7a623-b619-4a44-9f03-14b53dbadc2e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2bb7a623-b619-4a44-9f03-14b53dbadc2e\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\2bb7a623-b619-4a44-9f03-14b53dbadc2e\AdvancedRun.exe" /SpecialRun 4101d8 19523⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe" n17923⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dacfe76c-ec86-42ca-adc7-8e4854061561\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\dacfe76c-ec86-42ca-adc7-8e4854061561\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\dacfe76c-ec86-42ca-adc7-8e4854061561\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dacfe76c-ec86-42ca-adc7-8e4854061561\test.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop windefend6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config windefend start= disabled6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop Sense6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config Sense start= disabled6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop usosvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config usosvc start= disabled6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaasMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config WaasMedicSvc start= disabled6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop SecurityHealthService6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config SecurityHealthService start= disabled6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop SDRSVC6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config SDRSVC start= disabled6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wscsvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config wscsvc start= disabled6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WdiServiceHost6⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 17124⤵
- Program crash
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 8722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3844 -ip 38441⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3952 -ip 39521⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\readme-warning.txtFilesize
1KB
MD5e217e139ef30c6b01a891a46abdfdfdb
SHA1b7fcffce07cbdc0408c8156f22ac6ab0a8c742c9
SHA256cb631d734d62dce1742744b81cccd7418c27fa6da089d366378b43c00186598e
SHA512a22208a2537138f0b70087b1f0f10972e2ed2feb3ea8ea2f7bc0f7668a4fc1b807aaa7173d04ff04d415c043e1278357d39c7f539b4037ebbc6926e21863d117
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD52cdcf827ee114ba6e823284bf11d6fe7
SHA1468a8e6f89c240e153d0708d361eeb4e8cc8e0a5
SHA25685dd2678d156840be913bf31a54bd0e32616e9b3f6a5b5e6f709e64a4412791c
SHA512552eb84b6d16b40789f4dbf57ccb63c1c311dc6b0b492036e280989ff5e490dd9f44b9d97ca351c45a87f611c3aac62f306b041046417e43a21227055bf052fd
-
C:\Users\Admin\AppData\Local\Temp\2bb7a623-b619-4a44-9f03-14b53dbadc2e\AdvancedRun.exeFilesize
88KB
MD517fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jv14xpt4.nwy.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\dacfe76c-ec86-42ca-adc7-8e4854061561\test.batFilesize
8KB
MD5b2a5ef7d334bdf866113c6f4f9036aae
SHA1f9027f2827b35840487efd04e818121b5a8541e0
SHA25627426aa52448e564b5b9dff2dbe62037992ada8336a8e36560cee7a94930c45e
SHA5128ed39ed39e03fa6d4e49167e8ca4823e47a221294945c141b241cfd1eb7d20314a15608da3fafc3c258ae2cfc535d3e5925b56caceee87acfb7d4831d267189e
-
C:\Users\Admin\AppData\Local\Temp\dacfe76c-ec86-42ca-adc7-8e4854061561\test.bat.[22D0FE02].[honestandhope@qq.com].makopFilesize
8KB
MD599a1cdf0c29a303fef01e16f327f241b
SHA1997bc1f5178c58f0c2fcaf2c53f4dfe21ca25898
SHA256d7ee28d30cc96b2a98494995b6e910e651a9a1756596c571de85c52157a9d505
SHA51236990dfb21826a2de836fff1507d6c13cb1975f2e4a98156bb8f041b5f0c124664f17c5d4ba0d62e57fbc90069b6216a0376273bb427cb3a4a375301c9e530cc
-
memory/1792-33-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1792-77-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1792-41-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1792-39-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2824-11401-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2824-1940-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3592-1207-0x0000000000EC0000-0x0000000000ED0000-memory.dmpFilesize
64KB
-
memory/3592-2296-0x0000000007380000-0x0000000007423000-memory.dmpFilesize
652KB
-
memory/3592-2276-0x0000000070180000-0x00000000701CC000-memory.dmpFilesize
304KB
-
memory/3592-2867-0x0000000007650000-0x0000000007661000-memory.dmpFilesize
68KB
-
memory/3592-2275-0x000000007FD10000-0x000000007FD20000-memory.dmpFilesize
64KB
-
memory/3592-1204-0x0000000074BF0000-0x00000000753A0000-memory.dmpFilesize
7.7MB
-
memory/3592-3208-0x0000000007690000-0x00000000076A4000-memory.dmpFilesize
80KB
-
memory/3592-1267-0x0000000000EC0000-0x0000000000ED0000-memory.dmpFilesize
64KB
-
memory/3592-3575-0x0000000074BF0000-0x00000000753A0000-memory.dmpFilesize
7.7MB
-
memory/3592-1493-0x00000000066E0000-0x000000000672C000-memory.dmpFilesize
304KB
-
memory/3592-1359-0x0000000005BB0000-0x0000000005F04000-memory.dmpFilesize
3.3MB
-
memory/3844-1-0x0000000074BF0000-0x00000000753A0000-memory.dmpFilesize
7.7MB
-
memory/3844-58-0x0000000074BF0000-0x00000000753A0000-memory.dmpFilesize
7.7MB
-
memory/3844-5-0x00000000074C0000-0x0000000007A64000-memory.dmpFilesize
5.6MB
-
memory/3844-0-0x0000000000CD0000-0x0000000000F52000-memory.dmpFilesize
2.5MB
-
memory/3844-2-0x0000000005840000-0x00000000058DC000-memory.dmpFilesize
624KB
-
memory/3844-3-0x00000000030E0000-0x00000000030F0000-memory.dmpFilesize
64KB
-
memory/3844-4-0x0000000003050000-0x00000000030C2000-memory.dmpFilesize
456KB
-
memory/3952-45-0x0000000002CF0000-0x0000000002D00000-memory.dmpFilesize
64KB
-
memory/3952-42-0x0000000074BF0000-0x00000000753A0000-memory.dmpFilesize
7.7MB
-
memory/3952-2964-0x0000000074BF0000-0x00000000753A0000-memory.dmpFilesize
7.7MB
-
memory/4452-43-0x0000000005BC0000-0x0000000005BDE000-memory.dmpFilesize
120KB
-
memory/4452-71-0x0000000006170000-0x000000000618E000-memory.dmpFilesize
120KB
-
memory/4452-78-0x0000000007170000-0x0000000007206000-memory.dmpFilesize
600KB
-
memory/4452-114-0x00000000070F0000-0x0000000007101000-memory.dmpFilesize
68KB
-
memory/4452-75-0x0000000006EF0000-0x0000000006F0A000-memory.dmpFilesize
104KB
-
memory/4452-391-0x0000000007120000-0x000000000712E000-memory.dmpFilesize
56KB
-
memory/4452-402-0x0000000007130000-0x0000000007144000-memory.dmpFilesize
80KB
-
memory/4452-418-0x0000000007230000-0x000000000724A000-memory.dmpFilesize
104KB
-
memory/4452-430-0x0000000007210000-0x0000000007218000-memory.dmpFilesize
32KB
-
memory/4452-719-0x0000000074BF0000-0x00000000753A0000-memory.dmpFilesize
7.7MB
-
memory/4452-74-0x0000000007530000-0x0000000007BAA000-memory.dmpFilesize
6.5MB
-
memory/4452-73-0x0000000006DB0000-0x0000000006E53000-memory.dmpFilesize
652KB
-
memory/4452-72-0x0000000004770000-0x0000000004780000-memory.dmpFilesize
64KB
-
memory/4452-76-0x0000000006F60000-0x0000000006F6A000-memory.dmpFilesize
40KB
-
memory/4452-61-0x000000006FAE0000-0x000000006FB2C000-memory.dmpFilesize
304KB
-
memory/4452-60-0x0000000006B70000-0x0000000006BA2000-memory.dmpFilesize
200KB
-
memory/4452-59-0x000000007F890000-0x000000007F8A0000-memory.dmpFilesize
64KB
-
memory/4452-44-0x0000000005C00000-0x0000000005C4C000-memory.dmpFilesize
304KB
-
memory/4452-20-0x00000000022A0000-0x00000000022D6000-memory.dmpFilesize
216KB
-
memory/4452-40-0x00000000056C0000-0x0000000005A14000-memory.dmpFilesize
3.3MB
-
memory/4452-32-0x0000000005540000-0x00000000055A6000-memory.dmpFilesize
408KB
-
memory/4452-21-0x0000000074BF0000-0x00000000753A0000-memory.dmpFilesize
7.7MB
-
memory/4452-26-0x00000000053E0000-0x0000000005446000-memory.dmpFilesize
408KB
-
memory/4452-25-0x0000000004CF0000-0x0000000004D12000-memory.dmpFilesize
136KB
-
memory/4452-24-0x0000000004DB0000-0x00000000053D8000-memory.dmpFilesize
6.2MB
-
memory/4452-23-0x0000000004770000-0x0000000004780000-memory.dmpFilesize
64KB
-
memory/4452-22-0x0000000004770000-0x0000000004780000-memory.dmpFilesize
64KB