Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 06:55
Static task
static1
Behavioral task
behavioral1
Sample
e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
-
Size
2.6MB
-
MD5
e6e2378b5d5ef85b039d0b261db4fa9e
-
SHA1
2ab9b906aff4722d91b824b4ac887c5f9fc769c8
-
SHA256
f06f42f55d97811886559c435e20fa273b088c08552ed47a70b715c21e74308d
-
SHA512
24fbc820af4d86186f5cd76408add26cdd54e15573e0fce1b89b8167e5f736a06b45096bc99ef601ed4b01b4f3a9446051e678caea36f1188d9136c156856ce0
-
SSDEEP
12288:tKhh8Op3AVN1B2bPHzdThCblOA1RIV84xR12UcHa2dCaGT576f+j1lc1SWZIBpLQ:tKhh8Op3AVN10bPHzdTg6
Malware Config
Extracted
quasar
1.4.0
Office04
rat34.ddns.net:25565
7bf81572-f7bb-4bdf-9c79-2c3a4754a152
-
encryption_key
C3DCCCB06A6A0C21F917BABB61CE259EB0570761
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4724-18-0x0000000000400000-0x0000000000484000-memory.dmp family_quasar -
Processes:
e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\\svchost.exe = "0" e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe = "0" e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe -
Processes:
e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\\svchost.exe = "0" e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe = "0" e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\谈说话诅诙诳请诉调诠诃诔诂识诙 = "C:\\Program Files\\Common Files\\System\\\uf532\uf536\uf539\uf538\uf564\uf563\uf544\uf55a\uf569\uf577\uf576\uf530\uf55a\uf566\uf571\\svchost.exe" e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\谈说话诅诙诳请诉调诠诃诔诂识诙 = "C:\\Program Files\\Common Files\\System\\\uf532\uf536\uf539\uf538\uf564\uf563\uf544\uf55a\uf569\uf577\uf576\uf530\uf55a\uf566\uf571\\svchost.exe" e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\谈说话诅诙诳请诉调诠诃诔诂识诙 = "C:\\Program Files\\Common Files\\System\\\uf532\uf536\uf539\uf538\uf564\uf563\uf544\uf55a\uf569\uf577\uf576\uf530\uf55a\uf566\uf571\\svchost.exe" e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\谈说话诅诙诳请诉调诠诃诔诂识诙 = "C:\\Program Files\\Common Files\\System\\\uf532\uf536\uf539\uf538\uf564\uf563\uf544\uf55a\uf569\uf577\uf576\uf530\uf55a\uf566\uf571\\svchost.exe" e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\谈说话诅诙诳请诉调诠诃诔诂识诙 = "C:\\Program Files\\Common Files\\System\\\uf532\uf536\uf539\uf538\uf564\uf563\uf544\uf55a\uf569\uf577\uf576\uf530\uf55a\uf566\uf571\\svchost.exe" e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\谈说话诅诙诳请诉调诠诃诔诂识诙 = "C:\\Program Files\\Common Files\\System\\\uf532\uf536\uf539\uf538\uf564\uf563\uf544\uf55a\uf569\uf577\uf576\uf530\uf55a\uf566\uf571\\svchost.exe" e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\谈说话诅诙诳请诉调诠诃诔诂识诙 = "C:\\Program Files\\Common Files\\System\\\uf532\uf536\uf539\uf538\uf564\uf563\uf544\uf55a\uf569\uf577\uf576\uf530\uf55a\uf566\uf571\\svchost.exe" e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\谈说话诅诙诳请诉调诠诃诔诂识诙 = "C:\\Program Files\\Common Files\\System\\\uf532\uf536\uf539\uf538\uf564\uf563\uf544\uf55a\uf569\uf577\uf576\uf530\uf55a\uf566\uf571\\svchost.exe" e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exedescription pid process target process PID 320 set thread context of 4724 320 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 1896 set thread context of 392 1896 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 3776 set thread context of 1884 3776 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 3076 set thread context of 2268 3076 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 1156 set thread context of 4356 1156 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 3324 set thread context of 1556 3324 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PING.EXE PID 4940 set thread context of 4496 4940 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 3944 set thread context of 3920 3944 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe -
Drops file in Program Files directory 2 IoCs
Processes:
e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exedescription ioc process File created C:\Program Files\Common Files\System\\svchost.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\System\\svchost.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2908 3920 WerFault.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe -
Runs ping.exe 1 TTPs 7 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1964 PING.EXE 524 PING.EXE 4728 PING.EXE 3576 PING.EXE 1136 PING.EXE 1556 PING.EXE 5024 PING.EXE -
Suspicious behavior: EnumeratesProcesses 51 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4064 powershell.exe 1020 powershell.exe 3008 powershell.exe 3008 powershell.exe 4064 powershell.exe 1020 powershell.exe 3884 powershell.exe 3884 powershell.exe 2360 powershell.exe 2360 powershell.exe 2400 powershell.exe 2400 powershell.exe 3884 powershell.exe 2360 powershell.exe 2400 powershell.exe 2860 powershell.exe 4152 powershell.exe 1972 powershell.exe 2860 powershell.exe 4152 powershell.exe 1972 powershell.exe 4048 powershell.exe 4872 powershell.exe 3716 powershell.exe 4872 powershell.exe 3716 powershell.exe 4048 powershell.exe 2456 powershell.exe 1776 powershell.exe 1392 powershell.exe 1392 powershell.exe 2456 powershell.exe 1776 powershell.exe 1924 powershell.exe 1096 powershell.exe 1828 powershell.exe 1924 powershell.exe 1828 powershell.exe 1096 powershell.exe 4400 powershell.exe 3628 powershell.exe 2016 powershell.exe 3628 powershell.exe 4400 powershell.exe 2016 powershell.exe 4744 powershell.exe 1540 powershell.exe 3144 powershell.exe 4744 powershell.exe 1540 powershell.exe 3144 powershell.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exepowershell.exepowershell.exepowershell.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exepowershell.exepowershell.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exepowershell.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exepowershell.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exepowershell.exepowershell.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exepowershell.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exepowershell.exepowershell.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exepowershell.exepowershell.exepowershell.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exepowershell.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exepowershell.exepowershell.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exepowershell.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exepowershell.exepowershell.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 320 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Token: SeDebugPrivilege 3008 powershell.exe Token: SeDebugPrivilege 4064 powershell.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeDebugPrivilege 4724 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Token: SeDebugPrivilege 1896 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Token: SeDebugPrivilege 3884 powershell.exe Token: SeDebugPrivilege 2360 powershell.exe Token: SeDebugPrivilege 392 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeDebugPrivilege 3776 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 1884 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Token: SeDebugPrivilege 4152 powershell.exe Token: SeDebugPrivilege 1972 powershell.exe Token: SeDebugPrivilege 3076 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Token: SeDebugPrivilege 4048 powershell.exe Token: SeDebugPrivilege 2268 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Token: SeDebugPrivilege 4872 powershell.exe Token: SeDebugPrivilege 3716 powershell.exe Token: SeDebugPrivilege 1156 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Token: SeDebugPrivilege 2456 powershell.exe Token: SeDebugPrivilege 1776 powershell.exe Token: SeDebugPrivilege 1392 powershell.exe Token: SeDebugPrivilege 4356 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Token: SeDebugPrivilege 3324 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Token: SeDebugPrivilege 1924 powershell.exe Token: SeDebugPrivilege 1556 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 1828 powershell.exe Token: SeDebugPrivilege 4940 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Token: SeDebugPrivilege 4400 powershell.exe Token: SeDebugPrivilege 4496 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Token: SeDebugPrivilege 2016 powershell.exe Token: SeDebugPrivilege 3628 powershell.exe Token: SeDebugPrivilege 3944 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe Token: SeDebugPrivilege 4744 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 3144 powershell.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exepid process 3920 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.execmd.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.execmd.exee6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exedescription pid process target process PID 320 wrote to memory of 3008 320 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 320 wrote to memory of 3008 320 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 320 wrote to memory of 3008 320 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 320 wrote to memory of 4064 320 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 320 wrote to memory of 4064 320 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 320 wrote to memory of 4064 320 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 320 wrote to memory of 1020 320 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 320 wrote to memory of 1020 320 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 320 wrote to memory of 1020 320 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 320 wrote to memory of 4724 320 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 320 wrote to memory of 4724 320 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 320 wrote to memory of 4724 320 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 320 wrote to memory of 4724 320 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 320 wrote to memory of 4724 320 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 320 wrote to memory of 4724 320 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 320 wrote to memory of 4724 320 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 320 wrote to memory of 4724 320 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 4724 wrote to memory of 3988 4724 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe cmd.exe PID 4724 wrote to memory of 3988 4724 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe cmd.exe PID 4724 wrote to memory of 3988 4724 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe cmd.exe PID 3988 wrote to memory of 2512 3988 cmd.exe chcp.com PID 3988 wrote to memory of 2512 3988 cmd.exe chcp.com PID 3988 wrote to memory of 2512 3988 cmd.exe chcp.com PID 3988 wrote to memory of 5024 3988 cmd.exe PING.EXE PID 3988 wrote to memory of 5024 3988 cmd.exe PING.EXE PID 3988 wrote to memory of 5024 3988 cmd.exe PING.EXE PID 3988 wrote to memory of 1896 3988 cmd.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 3988 wrote to memory of 1896 3988 cmd.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 3988 wrote to memory of 1896 3988 cmd.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 1896 wrote to memory of 3884 1896 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 1896 wrote to memory of 3884 1896 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 1896 wrote to memory of 3884 1896 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 1896 wrote to memory of 2360 1896 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 1896 wrote to memory of 2360 1896 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 1896 wrote to memory of 2360 1896 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 1896 wrote to memory of 2400 1896 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 1896 wrote to memory of 2400 1896 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 1896 wrote to memory of 2400 1896 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 1896 wrote to memory of 392 1896 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 1896 wrote to memory of 392 1896 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 1896 wrote to memory of 392 1896 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 1896 wrote to memory of 392 1896 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 1896 wrote to memory of 392 1896 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 1896 wrote to memory of 392 1896 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 1896 wrote to memory of 392 1896 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 1896 wrote to memory of 392 1896 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 392 wrote to memory of 3016 392 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe cmd.exe PID 392 wrote to memory of 3016 392 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe cmd.exe PID 392 wrote to memory of 3016 392 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe cmd.exe PID 3016 wrote to memory of 2724 3016 cmd.exe chcp.com PID 3016 wrote to memory of 2724 3016 cmd.exe chcp.com PID 3016 wrote to memory of 2724 3016 cmd.exe chcp.com PID 3016 wrote to memory of 1964 3016 cmd.exe PING.EXE PID 3016 wrote to memory of 1964 3016 cmd.exe PING.EXE PID 3016 wrote to memory of 1964 3016 cmd.exe PING.EXE PID 3016 wrote to memory of 3776 3016 cmd.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 3016 wrote to memory of 3776 3016 cmd.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 3016 wrote to memory of 3776 3016 cmd.exe e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe PID 3776 wrote to memory of 2860 3776 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 3776 wrote to memory of 2860 3776 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 3776 wrote to memory of 2860 3776 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 3776 wrote to memory of 4152 3776 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 3776 wrote to memory of 4152 3776 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe PID 3776 wrote to memory of 4152 3776 e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"1⤵
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BulbEsDT2gTu.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2512
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"4⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3884 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FzbHdUlqlgk5.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\chcp.comchcp 650017⤵PID:2724
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"7⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4152 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe8⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qRCs6zBFRRC8.bat" "9⤵PID:3140
-
C:\Windows\SysWOW64\chcp.comchcp 6500110⤵PID:4608
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
PID:524 -
C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"10⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3076 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4872 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe11⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGkFQ4DeO5bT.bat" "12⤵PID:4324
-
C:\Windows\SysWOW64\chcp.comchcp 6500113⤵PID:4328
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost13⤵
- Runs ping.exe
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"13⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1156 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe14⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5FRatSaIBxe0.bat" "15⤵PID:1696
-
C:\Windows\SysWOW64\chcp.comchcp 6500116⤵PID:1388
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"16⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3324 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force17⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force17⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force17⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe17⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LaoQY8EFF36B.bat" "18⤵PID:3420
-
C:\Windows\SysWOW64\chcp.comchcp 6500119⤵PID:4644
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost19⤵
- Runs ping.exe
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"19⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4940 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force20⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force20⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force20⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe20⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q0OtEA2Nz2i4.bat" "21⤵PID:4124
-
C:\Windows\SysWOW64\chcp.comchcp 6500122⤵PID:3536
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"22⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3944 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4744 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe23⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe23⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe23⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe23⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe23⤵
- Suspicious use of UnmapMainImage
PID:3920 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1224⤵
- Program crash
PID:2908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3920 -ip 39201⤵PID:1628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe.log
Filesize1KB
MD5b5b0a1b2facedfcf3b5cf410369d8a78
SHA13e0703974b6abdf939dcfd81309b9d9ed65edb17
SHA2561d8944aa85aa7d0a35e6596ecdec7bbb4974607e984a22d0a5d89f1bcdbb625d
SHA512aea990f8e277e78c8f13ac6bc4270ef42be831b7d3f304e844fdf30eac0ce04d394650fd580c530985112c3dba8670f825ff5b1b0ef8ac0db3e143a95999403a
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5b1dd697cd7c316d754bfb6b6383552a1
SHA183bfa0e226be561628eadc337e29d814f1d20f4e
SHA25693412549855a706d023b8f19d42cf2fb7a7c8431dff6930ab4b3cca02cd8cb23
SHA5127811885a385de99716037c59885659549d3cbae69d075d6a248f214053b9b915ab57edfcf76bf361fb75c6d5b784c6d716c93340ea1bf85069a41f6ac073efd7
-
Filesize
18KB
MD533569a1d6fceffc659fc22935873fb0e
SHA1449c236cf8731cb4121a518e87a29e9e2b3ea869
SHA25673d6aa1176d733c628839ec14da727d19564b000bacfcb160c1732cd96ebd627
SHA512d79dd0c3b6dcb3d029fe99adcb07598764aaf6720d9fa1bf54855517dba92432276f18f600a771556b263d0d71f280e5d01c10910d49a5e11ecb2d5c04fec46f
-
Filesize
18KB
MD561461cbed4ac4a91e547e5519f86cbe5
SHA17324f0e281f71e8edf67e764131a6f9ee9240db4
SHA256cb4db4737669360faad122ad8d9af3c6adb35bdcac72f3ea9d890c6fcd06fad5
SHA51210880ce1041a5d062988d7bce2792067461c8753f1a2228ff2d3f9579cbce55f52e26a6b73802ab288331f881d963a14cddef8e48c6655f7a701eb9b63bc8a93
-
Filesize
18KB
MD53651a8550970b66295fdd06356f37483
SHA115b1674553c5a5b50a48399860d0e15d685f5fca
SHA256a2dc8cb9213f8d8bf8819061d970265f181a24ddca3f9783c1169c83c0e736fc
SHA5128f0ddf9ee694ab484f30824dbbba5ec2297e5027101183a717d9cd56d8a2b9ab9375df9ef8ab857749ae39166463b32e6dd42c5fed871a3aa1748461a0391510
-
Filesize
64B
MD53e268cbbb2f99f7dab5fab7e1b609c7d
SHA1215361e9b1a0e1f8a941edafc98eab73e53db49c
SHA2560bbf2ea56780a703adb2b686550111ddeaa6b53e3dfa7dcc5360c1a6c56d4579
SHA51223af36f6c4fa0a4740ada07e45c7eaf62dada751f12c5d6194a77615804eac7ee9b1e1f21695fbdeb224fa96acff2934d42ef6e00a29c56b2d1cf39c647270b9
-
Filesize
18KB
MD510087504da1cc7cc7a46cac64c321837
SHA1504de9493e8494122c48c23c579e3fd9bcf4f4a1
SHA256f3df9bb912cc579fc5a80b6cec4d947067134dc148ebd7843ca50163262c094a
SHA51297760830984261da04deeb8d44893eb76061d6370f4cad79f5984d083e2295794ab1f454d899f3cc7fc64d7573d02b94077c50fb0e8bba1e4acdbfcbb747c272
-
Filesize
18KB
MD5e82c38951bc904de3c17debde20f7c63
SHA1dc6728b8d21a7c60a9aa03a54959aaf211d52fe5
SHA256e723321379d4719b7f416929ec57a01a8b44cb1285c1c46db82df08a6e8f231f
SHA512318b1d6edfe322433f0a93d1ca828857166c48d6136ddf48b0b2d3fa82e902eb6dff564ef7d84ac639d16d9ac00cd9adc347449fe945d529dd19eb6de24d9e27
-
Filesize
18KB
MD502f4de5e4fe6294f6db2fe1955ad429a
SHA18bdd827170cd2199c16110a62b9c20f720a3dc59
SHA256bee33028fc669e30572e7bb25466dc2c84d26c731b83d2b0823edf4d8b5af564
SHA5127547f1f7f93fabf6cb7019e3df214e647b90f46862e7e53ec8da9eb9ab19f833dbf303138355383f30a51e3a1d41a13c25b6806597ca55ae1e78cca9f305e4ce
-
Filesize
13KB
MD54c6ca02277bcdc0f78c88c291e205941
SHA1417949b1bbe29e369767504b375a06f34165df4f
SHA256029ad5291ae1cb0927063e5609db1c6f67a571cbb1058f5dd22497ce66affa7d
SHA5129bc95c84d9720e86c3a1b9561cd1cda1f2bbf44c1070f699f25c4bd201c2d34f988b4bb2a6e051f3894a91ebb70664309022e75908735753e22dc51bad064ed0
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
18KB
MD5762e1a5678d5e7ef87333f79619c0507
SHA1a33bb57133e74a59b02395501ed36318eee43375
SHA256724f4f9ac17959e1849cadfa34366975ccabc011dbbebbb66508a552c267414e
SHA51211f9b6072e3598142594e7ca1046a71f91e686d2c54eb69c690c3219409f4ed0905d5467150594d5929408dac5a22119067943d25a13ae61745d683d316efb36
-
Filesize
18KB
MD5f506c654d69b3f525ce3533e218f391a
SHA15a32632967c1b338058b086af02b1cda550001f2
SHA2566b188115e148c0101c585af78ba8621edc215fd0bb3419d2a070640928c5ee69
SHA51278560717b379a05f1fd4ca387aff7087d37bf1cfa73025770d18576bcb358a79102d858b4d624790f042731201b9504ca71f9eaf86e6ccd9cbc97470b955e5a6
-
Filesize
18KB
MD53e8db22cbd32dd9d7f76860caa0307dc
SHA1030df9525547c785f9c9b614b2b3dd28d80e738e
SHA2560c569bb8b66d3845f6a29bf8b40ae1e1a0d7fbb14628fa8309e459f81fedbacf
SHA512b23aa56b6911299a8f133473ef0d071ad7676a871e75367887f8a6b12a551b8075444301f7c394479ef4c577e972ef8d9130809066453816ed5a5264b5bdd168
-
Filesize
18KB
MD55ee3c15a416fbe4fef69b33470cb3d69
SHA15184bb76f7083c9abe69e7576f0cd50b1e07c392
SHA256f56256dd22832ceaa95aa3d85b34a1acedac13bf0faeef18b444fce0e59a803e
SHA5127428671896467c0a340e2fb134c5130fecbff80a2a7f6d385ab542b6c0685b55409d07768a7a8a6fcd45cc38545c73ae479c655f7404f9877582bde9d5b3910f
-
Filesize
18KB
MD554ebffe73dfbbad731c863dc3b1a63d8
SHA180d212dfc74d529307266699e29287fbd1ad8d41
SHA256382a9a13aca2704cda61c74e35dd0cd69ef4f8a24079f0e546e36b00897832a9
SHA5122e8ad9d66c63b0887f0d3ba422d27ec24c280698f10ce1a77565f932d363e57c981d1dfa9615922ea389e481c07cb5fb9b90054942b9b687372529b789519844
-
Filesize
18KB
MD5358391e713467e4024613bf55c720abe
SHA100ceb553141b1714ccb4deeaff19157028a40490
SHA256012e78d6b1d1958b85c131e1a8af7452c3f46a789bb65825a5a562beddc397f9
SHA5120974699c38f6847df0124ea2e4ebaca0056104ed8c1396f02af1a0332cefc4d6e57c2e5b2027da3277962c88eaa21f32beb2762babb719a5bc87aa8d22697b42
-
Filesize
243B
MD538e9411396d4d67d42c1f3e80032fc78
SHA1dce12840b2d14a93063b64744c2aa296dd3c135f
SHA256b2551a2ccea45e140a9086c194958252cff4a3a185ef4084e9bca0dcf9c1300e
SHA5122c40871ca6448be0ed475aaa524ee298640729fc97b9317cb1927aa92979271405005d4a031ff75a5489dfcdfcdb91f4c0f41b420f547fdd6bd0fb3e51c7c4e5
-
Filesize
243B
MD5ffb6bf2ae5e742b3adcca68e5d5798ad
SHA1fa0fa5c96bff8e7f9c9f85386a19e4863e0fe94f
SHA256fd8f606bb8b627e3965c239d01ddd2948081e1b14d73e7c43d2381e5459ac81f
SHA5126f67afc9d35a533cd37f27d4532f60405a71e955904e03c87392589648bc8027828d6e046f3d30ad2f542d5c9c8278e44937ba3db652dcc4516380c2e8e0faf7
-
Filesize
243B
MD51e232f94d11010c98f878cbe770bc544
SHA1bad6dce3050a61df3aae8a11b5318632d3570bb8
SHA256bc861e318c902f007ac30fec8ad5fa5f2f10106f9802d21c1d9009a6f0cac160
SHA51294b58135042fdd094b027175c8879d38c4fb80801ad6b7c032adbc78557221506bb574ae54fbad7ca53576baf42c9d95b04dcafe7b700af906b42eda1ec183bb
-
Filesize
243B
MD5648b16187f1a6f1c1a195766acb890ac
SHA1b40d9be4a87b038ef877b7eb63d11c2cc710737e
SHA25665c5db6f47499355557eefd9ab14e576c450dfdc9b0d6d81af76406841e33ebf
SHA512b41d924495468f5ee722e658a8bbee8ce68c8000024ae720a6a8a39a24642e5284d6e17efb58e120186e646c6e3fd95f6787107807ebeea1c069a45954028bfa
-
Filesize
243B
MD5193a61f864003fecb61245923f756e21
SHA152f9f1d6daba9d5dfbec37db2ce068f08ebf9889
SHA256c007746a5af151b9c3afd49b050eb834963e5410af1c60892d5bc2c38660f75f
SHA5122c9911ae44b75560be1e500b31b5648c7c89e7508eb29191f25a6d68568ab9c619006801acc446b9b0b9f72624e54e8545d96ba35be3efcc9b244269e41abf87
-
Filesize
243B
MD5a5b16e3312e6b6e613c7f6d9ba1c272b
SHA1c90aad3160e9e8d54a7556b43c6e472c46694537
SHA256cdd9b986c709314ff208c2200762c06a3fb35ba8dc8411b7ba9da1eba06af173
SHA512665846165bd573747580352af54c5cf22390562029ce58d5ac0c0ff63d787b0d67eb90913683d0c6a696f847ba6e3cce384bb2ad5661f670398fa00dd74adc4f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
243B
MD5698fd8ff1bc97927977cae4eb8b86068
SHA1274cef0cd4709020cb6133dd85aa812a19d6de7b
SHA2563e51484ff6eb009781f28ce9e46b1089266352dbdd232149901bbf1af35973ba
SHA51266b274377fb143097871a052ffadb4a3f0256a50e72e272d36aa5deb56e2434f13ccebd3b5e6c6c0f433619b45529ef30d98dadfa93cc64c471d2be8756fa0e8