Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-04-2024 10:49
Static task
static1
General
-
Target
ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe
-
Size
705KB
-
MD5
ed3ee5d24eb6c0cc2ece39ee104626aa
-
SHA1
4b72d7ada5932a9980d521325f4bb7f8b39396b3
-
SHA256
fe69326fb24b5c83fa532166371c23b0707b910b96233b9db22130fa2131adab
-
SHA512
9b5de1c6febb33aab504aa46813c24377177f48d9624436f1d247191d3631c997bf552becccaae000bdc21da67c9ef192258032b5784a417432a6fec14d3faed
-
SSDEEP
12288:8DJnJM4OpSpnO8kTQlgtBLDAChznzLW7naDjRrI31vjAmAmvMY:AJnJM4OqTWqiBLcChznzLW7nOjRrI316
Malware Config
Signatures
-
Expiro payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4076-142-0x0000000140000000-0x000000014016C000-memory.dmp family_expiro1 behavioral1/memory/4648-223-0x0000000140000000-0x0000000140136000-memory.dmp family_expiro1 -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 7 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exepid process 4648 alg.exe 4688 DiagnosticsHub.StandardCollector.Service.exe 4560 fxssvc.exe 1596 elevation_service.exe 468 elevation_service.exe 5092 maintenanceservice.exe 4928 msdtc.exe -
Processes:
alg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-566096764-1992588923-1249862864-1000 alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-566096764-1992588923-1249862864-1000\EnableNotifications = "0" alg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
alg.exeed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exedescription ioc process File opened (read-only) \??\Y: alg.exe File opened (read-only) \??\Q: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\O: alg.exe File opened (read-only) \??\T: alg.exe File opened (read-only) \??\U: alg.exe File opened (read-only) \??\V: alg.exe File opened (read-only) \??\W: alg.exe File opened (read-only) \??\G: alg.exe File opened (read-only) \??\J: alg.exe File opened (read-only) \??\S: alg.exe File opened (read-only) \??\I: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\O: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\H: alg.exe File opened (read-only) \??\Q: alg.exe File opened (read-only) \??\M: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\P: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\T: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\Z: alg.exe File opened (read-only) \??\K: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\H: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\U: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\V: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\X: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\X: alg.exe File opened (read-only) \??\G: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\E: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\Y: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\Z: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\I: alg.exe File opened (read-only) \??\L: alg.exe File opened (read-only) \??\J: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\L: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\N: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\R: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\S: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\E: alg.exe File opened (read-only) \??\P: alg.exe File opened (read-only) \??\N: alg.exe File opened (read-only) \??\R: alg.exe File opened (read-only) \??\W: ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened (read-only) \??\K: alg.exe File opened (read-only) \??\M: alg.exe -
Drops file in System32 directory 64 IoCs
Processes:
ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exealg.exemsdtc.exedescription ioc process File opened for modification \??\c:\windows\system32\fxssvc.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe alg.exe File created \??\c:\windows\system32\kbabjcek.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\wbengine.exe alg.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\svchost.exe alg.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created \??\c:\windows\system32\pehdbjbf.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created \??\c:\windows\system32\ojhjdleg.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created \??\c:\windows\system32\wbem\jgmmpilf.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created \??\c:\windows\system32\gdmkiabh.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created \??\c:\windows\system32\oldbcapk.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\Agentservice.exe alg.exe File created \??\c:\windows\system32\ddhjbnjl.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\wbengine.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\lfdeflfc.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\dllhost.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\lsass.exe alg.exe File created \??\c:\windows\system32\dfmobhjp.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe alg.exe File created \??\c:\windows\system32\klcfbild.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\lsass.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\dllhost.exe alg.exe File opened for modification \??\c:\windows\system32\Agentservice.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\alg.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\Appvclient.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created \??\c:\windows\system32\fachgipn.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created \??\c:\windows\system32\napgmpqb.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\spectrum.exe alg.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\gfadbocm.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\msdtc.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\vssvc.exe alg.exe File opened for modification \??\c:\windows\system32\vds.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\msdtc.exe alg.exe File created \??\c:\windows\system32\perceptionsimulation\ifcnooif.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe alg.exe File opened for modification \??\c:\windows\system32\snmptrap.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created \??\c:\windows\system32\openssh\bikccbni.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\searchindexer.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\vds.exe alg.exe File opened for modification \??\c:\windows\system32\vssvc.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\svchost.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created \??\c:\windows\system32\diagsvcs\lmjmhijc.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created \??\c:\windows\system32\hplkkcfj.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\snmptrap.exe alg.exe File opened for modification \??\c:\windows\system32\fxssvc.exe alg.exe File opened for modification \??\c:\windows\system32\searchindexer.exe alg.exe File opened for modification \??\c:\windows\system32\spectrum.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\Appvclient.exe alg.exe File created \??\c:\windows\system32\pfimdddp.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\locator.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created \??\c:\windows\system32\jiomilhg.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created \??\c:\windows\system32\elkoqenc.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe alg.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe alg.exe File created \??\c:\windows\system32\lbipaagm.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exealg.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Uninstall.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\kldonlpi.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\edpbgqqb.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\7-Zip\jgpijieg.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\njhoaela.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\dhiophcl.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\ckideamg.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\lhbjhkab.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\bbeoaohg.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\qkqjnlke.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\plqcccib.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created \??\c:\program files\windows media player\aooiemnn.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\bnqbgacl.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\jdhpjodp.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\dotnet\pijgofaf.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Google\Chrome\Application\elidehmc.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\eehmdpjh.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\7-Zip\nccafaqk.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\ihmjdqgm.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\idklmhke.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\qnmnedfi.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created \??\c:\program files\common files\microsoft shared\source engine\bnhakpip.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File created C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\ckfdqqhh.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\lbdhbkde.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created \??\c:\program files (x86)\mozilla maintenance service\lgooimbi.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\idjlnmch.tmp ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exealg.exemsdtc.exedescription ioc process File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe alg.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
fxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
alg.exepid process 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe 4648 alg.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exefxssvc.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 4076 ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe Token: SeAuditPrivilege 4560 fxssvc.exe Token: SeTakeOwnershipPrivilege 4648 alg.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
alg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" alg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4648
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2168
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1596
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:468
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:5092
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5cb932f8cdbe2e084cafea173cda56959
SHA141d57c147180f1a907f30bb43fe76cf231cb9c19
SHA25633a5cba53232783f36dbe492afd47d75c1bd1e002c0d56ffbd114ce41d8f2f34
SHA512c12fa87c5afb8d2802d494b5b475b222655e784833c1fe3c33bb016938bf4b9061d51532df32b1cc2f6b5f71e5ca1d8a5b4a80cc513ef2d4bac1972fb99c2a92
-
Filesize
613KB
MD52b8f0d05abe6d76c8df5c7591eccec6a
SHA15249c0d6afa6d25f6ffcb0947d9f6206afa8e861
SHA256c504430c091148bf20fe94e8d1e05f175c15216ca8fc55e5379bcd6f25e2092b
SHA512f3123793670247d529cd1aafaec154b6cba484e5b034a2597b81de7456bdcad93f90c3627259b70391cfb14d9b66ea43de928c575921eca29817c0e16ad36f0a
-
Filesize
940KB
MD51d7aed22bc4b51ba6fe41861235a3769
SHA17b0b5f26862fa6ed9abe9034a64855ef560cfadc
SHA256421e64f2f0c7672e7cb745af0b198d2b978bdffcf4889acab1bcd5688e97e51e
SHA512b549db84abb62a68e600da1971a09f271cef6131d9e7a6ca4e67fe296f5b5b0f9b8b5566a983366188f3511d44504ed91c8f34cd2b7b3b975b7e36fff6d9752a
-
Filesize
1.3MB
MD5e47727869140dff924fb7cfa7b8cf47d
SHA1141cd3554c09a500215182247576aa414315fcfb
SHA256e053d4591bf2dae24ba780e172244f3d226490db118ac255352051ef086f8a66
SHA512490adfe050bb1520f8a0901570c8fcc8471d3f03b29373379b46ba59ac87c43dc526d2aa1995925ae04b9ed81e53110721f3d8a45845c7e6d60138cc83eaf072
-
Filesize
1.1MB
MD5ff5a5821b9281ba9cc4e459949dd78fb
SHA17b6d0bc6f43c4b730c8face648d18e9a325da7fb
SHA256d8b5fae661a35ec9347703f1766e4c6e6b6e5ea18fdc3699d5fdec16318b8b67
SHA51270228e49dfb1e13243a1fd595c16e1deb35594f3b3a6b82bb72116d6945a4f8e5c80ce2f27dd3a25dc7d92bebe5fba92779f7c7c03ca65239635a444284288f1
-
Filesize
410KB
MD505197379416de7458d8163e46605259c
SHA16e69e39765b59169d560d9dbe87c89b0d9df9be0
SHA256ce4eb0a5a053a79f67f1b981c5be2b9a895fae02be11d9f7ff88baf980e104a7
SHA512f71016be27cd952f73637c9c7af267ba2d43ce3efa269ccbf1135f180e10f3b93b13aae7a376ca4e2cf2556d5e0eb9d097af3d74fd3679954ddd2e7985bc50b6
-
Filesize
672KB
MD5c48ac31c9858a0899ce8e3ed5bc35065
SHA1245c054fa45dbbdbf6fcf1fc20d63b044b9b9e08
SHA25668c5f7820f141bc2ea52a3f9af393ff5eb230dd5faf08266a6255ca5588519e1
SHA512b4865ea9d1864252127d0fb8c21ff1e294c94e564a039d28f7181826382ae806c3faf663b780bc994dbc6176b651393f8dad5adb9015d21b695de4ae602718f7
-
Filesize
4.5MB
MD50f748059ae0c67a1320a0b881cd6cdc8
SHA1956b631e0a4bc5164d6ed1bb2c7d4735e3ff7c97
SHA2564940cfa3cbbda84cc549d5ce5c9acedfb0dd9f26ecd5a534c87b0dedd496dd2d
SHA51232b98b038d0bf33154fe605952a473b32b7fd1b0b294c85e08135d5e8a8f9c5bf8c90eb7132d6b13dc3ad6d446750a52a54dcb7bf58c2be22699631e5b9cc6a3
-
Filesize
738KB
MD5feece3ad778e31679725bd59404a6974
SHA1c35728dd7a9ac68fc40741dfdcb17e20381c04ad
SHA25600f2398934b33502dc17652c9c29b8ef7871022c08ee90cde5eb6554934d856e
SHA5121ae87bb8751e1741e8827e08244fd2d780f9aff1576943f4eecb70f4f8c3489d49d2466848764f8e0c916c420633b0de9a2aea53a778a2eeaa2b655e0f61c03b
-
Filesize
23.8MB
MD5cb658fb56776f7ccdc60e98db8c90726
SHA115fe6c6d59d39c64741208710bf7f951f8ca0b87
SHA256aad7a894379070fd42dd3934abe0ea80ea958ef4f0282dbad2836ca615de4a62
SHA5129ab63cbd63318c4a9adaf0237074b0b7007c1ca918b494a61d1b96274c5190a1e695485bf91f7dab1e064947f8a190419965329136e4e3d4731269d286655c88
-
Filesize
2.5MB
MD54fb9764fd798863a62d6c37f7d5a85f6
SHA1bf235dc4cecd39f51914aad973bf52c1bd309a38
SHA256deca762c55bb9e8c6ea1b61ec71c943ce48393d93f1e72792cc5abdfeb602061
SHA512fd361e213cb3e05f263560145286153ae4f0737bc6cfb2227a68b7f80fb7d20abbd16497bc4444ef461573984af725fb2f96163a845af8541f1ae179020ff9a2
-
Filesize
2.0MB
MD59cb664b660fc1b8ea686c49146148561
SHA1afa5b7f53c415a14083714d0b231b159b2a9dcee
SHA256fe359707d5108547a76b1b180e3be5df4c1b9e1cf02f0c812d1740c20bdd64ca
SHA512a6e3a1ef1465a179955c8ef5152781bc9cd5d1c706ecb6cc72b1426abd0c4f8ab447211cbc992278d9d82789dedc2110506a7a92736b308af8a1b614b8e9f484
-
Filesize
678KB
MD55fd5e62761da7e540df6d9abecd2452a
SHA183c6dd33c7b1fd0241d1e4b052cbf840f1553f55
SHA256c79a85f362703652a00e10822e8b27ec48a9bc907e624ee72bc284f7ca15946e
SHA5121788476f018ee17eb88fe719974d772cabc028184af8c680916c47e9212c8a7a9f1e4b3a6333418cb75671fd941ae0bbf32f35e41f73bbbba0506a368f9e355a
-
Filesize
487KB
MD535d081774b51aa6551939d6e1bc0c2d5
SHA1222a55fa32f6bea4bf509e7db218f90e9055ee00
SHA256e7ade68a6891b837790345abf68de24f5dc8f450ac1526cb1895a148bfed0c40
SHA512f2a9861dca43bb5817ebd5cde8bb4d6e4483e6ec069358c34314e065e001e672a46f00f97aed9c3c05d3629deeda8abd8c5da8044ed894cb025680431932d77c
-
Filesize
1.0MB
MD5c20b7245e1f4dbeae492852eda4f9249
SHA1a2df66a1a7a6cbe8f1ff901ff025d73152ffc2a7
SHA2566917c742db2e0df543edb5a890a65e5f09d4ee45ad08578ffa3ca7001cfcc358
SHA51218f7c67c5459fa310ea07cecc7d4ad199d8b01c3b0f6c1781720dfec48f663014be325b77922f8ea25ea8c4b17ea1199eda42552549d424110b18c984aefba90
-
Filesize
489KB
MD5992e3a33ab00840394e34d2979b773ea
SHA1b23cbc9684ae32b952f2f32fbd05e4cdd48d0f6f
SHA256735ce48999b5b5d6db84609e3384a91f61c1e075aa8d6110cfec572035388e41
SHA5125f62fe5f68429ecb26a5ad869d5f88fcac8ff1fc1f74f2108bd87b8b655890fb3449fc9242f71edfdf27ef75d5560aa0fdcc481875d37fafe576364a9332354e
-
Filesize
540KB
MD5404f5a6de9f1f21961f9eba52c6a6540
SHA1fe3a2c0f48d35fbb66d33ecc29b3d39f627683a2
SHA256bdb045e81c722e42faa4d6d74d579f28152257233064a687eea1431c4d351229
SHA512aedbb03dc490edc3a999596d687f616e632fbbe670a5e87e8ed186a7f6ec7e0f0d8c6548a5c87ceb4715fb7233c67deab00310cba6d2e8915a3a3e5a3ef9de46
-
Filesize
5.4MB
MD518c671af730e4a1ee8e111b7c4e92a40
SHA19a6ae7d815434aae1bbf2c962195367893d90c95
SHA256b5b1be5d1fb1a61c8158bb4a63a4cd8b31803625b0c0d4b62628fa844640856b
SHA512cf0bc2cc804f70c4e806aae53898f74b1eee4c6f34d0003b0f5a207e39cb53d6f60f1c7a7430e799e278a993873657820c0f16c7072ba4ae4c7f3008425fa47f
-
Filesize
637KB
MD55133701ba4b1789ecc9f8109b235776d
SHA110a98d54b22eb686c5f3bcb641639f396a2b417b
SHA256edd6c0dc9b1d6ec6706b9c1af99dc5549b6c0acda6f76ef8436872b838c1b28a
SHA5123db5fd84c7e2294dd7a7af0f53e591a573bcae77fb946570a8368bf5ba75ec34c5cc9ab4fdafde318c2df0512aeaf44b99895d0f0222ac7a88079742f6960d91
-
Filesize
1.1MB
MD5d8d5ce39d3e894de50d18451a6341ca6
SHA12707e184b3b5697a7d9dd801179768b2a831b058
SHA2569a4e24e3612d57b4bfd1159883c5809e8f5345a4109c1fa1112bb9d2ed3d881c
SHA5128e7c7903e9ad33ac8413a93d0528530aa7d694919d6a8ddd0ec4e6aacd315b8e868c9f5ddb0df6c4283c7d8c92166d6b254807d9f618c2dc1037e558ce01a84d
-
Filesize
406KB
MD587847f6ea37ef8800575502178e6bfe2
SHA1bee569effbf58f7a70e6ff10d3c4f5ad3fbf69ff
SHA25603047b16ab6217bca97972444e21ff8ccad22b70f8a2932243a94accc26f2b20
SHA51275598aa3dd413c57ac0a2c632e391acbb6d99b865bb919e59fef28ca0a8a3ea48f662575fb5817d19055b0124be0c656ca320dd8ccc837c64635ab9c9de57b88
-
Filesize
463KB
MD53fec2c0df39b723654efdcad20b11805
SHA1f7b72a3a2207e523ffbe068b282542a348fc6563
SHA256a2187d5c3b3bd13b13a6532711da2d9f73d499097e398046f9b005f12194eb13
SHA512b2feebc13b5128ec532660937f0eb1d4c7d78a3cebd135b3a2359f699289c245c35cac5a49a22896ee740b3f6754bd386c9aa660c35e4d16808e8eedd8d5e47a
-
Filesize
499KB
MD5b8f99c9e8e913c3d71fac658e96036fa
SHA15a84d90e7d0c1ee2ee3a952cfb064924d9c8bbe6
SHA2561923689b7a25c6e46c67ec853a8800f76c6f4d397e0b5a02230f404b4a8a4000
SHA512b08e80c6983031b40a2acd58d80c44c006385a35ea079b78113c7f9e872643a3e98a8ad931df59b59485d4feb7df7709d7ee6a1c8c4fcaed81ce8e7b0c92d018
-
Filesize
1.6MB
MD5102547fd0fb5eae3ffa72dfe002cfe1f
SHA1aa53c8145de4ecc1ca1fc1e9f50be90455a75c49
SHA2561317e55f993e58f3a983c0a26c85cdc42122b9a884572a91fa9f86a0ffb5499f
SHA512dbaa7bf38488e1d94500f6d3afd9b712597dce999d9c9ebcf1876b567d633464ee5fcd2c6a1e6f3df704cf1c56932cbdb03556ab45231ae47d575c2515516a9d
-
Filesize
416KB
MD513812baf05067cdd89afb5c962f12820
SHA1a8b6da84ad2843e1c406f6d1cfad50404383e1ac
SHA2563207ec5d3869b07609f2bb851068b67b8d8022605d4bf0c379db90819442147f
SHA512a714faa03be05ac5a61bff90379618ebaabb894c62a3bb913930ca4e41dc45a2f6e32e2fb4da2079f8fde2c4a211917849034f954f1a42e39abdf970128594aa