Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/04/2024, 04:37
Behavioral task
behavioral1
Sample
ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
ef2552356f37762ec0be048a2bc298b7
-
SHA1
7702225fd0272119bb2434ce8489b3c47b0206bc
-
SHA256
8fd3e42477ed5f25dfb66da7d0c7606b47292ccd04c0351dc4b5dd893196713b
-
SHA512
ca826a9eb6b3eaf87c5c73f13b2cca20d16582082f83b72b0b1238000766b0249e84984bc198452bbbfcb671f929ae6b1e6204d856e69cbd215384b7792d29a8
-
SSDEEP
24576:VEkR6s3ywy2S/HmH/Trg/YZbMBXGuFCTmdve5tzFhkwc2ZNtgnuhm0vj8r117Hpf:VT6gzyfmCBXGCCTmNYrhkwc2Dm0vAr1r
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC8080E0-DA2D-BCF0-D004-BC36C52C0009} ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC8080E0-DA2D-BCF0-D004-BC36C52C0009}\StubPath = "C:\\Windows\\svchost.exe" ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC8080E0-DA2D-BCF0-D004-BC36C52C0009}\ = "ms_w" ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC8080E0-DA2D-BCF0-D004-BC36C52C0009}\ComponentID = "ms_w" ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC8080E0-DA2D-BCF0-D004-BC36C52C0009}\Locale = "DE" ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC8080E0-DA2D-BCF0-D004-BC36C52C0009}\Version = "6,5,5,3" ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2692 svchost.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Wine ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Wine svchost.exe -
resource yara_rule behavioral1/memory/3036-0-0x0000000000400000-0x00000000006D7000-memory.dmp themida behavioral1/memory/3036-5-0x0000000000400000-0x00000000006D7000-memory.dmp themida behavioral1/files/0x000e0000000126f5-13.dat themida behavioral1/memory/2692-17-0x0000000000400000-0x00000000006D7000-memory.dmp themida behavioral1/memory/2692-21-0x0000000000400000-0x00000000006D7000-memory.dmp themida behavioral1/memory/3036-41-0x0000000000400000-0x00000000006D7000-memory.dmp themida behavioral1/memory/3036-47-0x0000000000400000-0x00000000006D7000-memory.dmp themida behavioral1/memory/2692-48-0x0000000000400000-0x00000000006D7000-memory.dmp themida behavioral1/memory/2692-49-0x0000000000400000-0x00000000006D7000-memory.dmp themida behavioral1/memory/2692-51-0x0000000000400000-0x00000000006D7000-memory.dmp themida behavioral1/memory/2692-52-0x0000000000400000-0x00000000006D7000-memory.dmp themida behavioral1/memory/2692-53-0x0000000000400000-0x00000000006D7000-memory.dmp themida behavioral1/memory/2692-54-0x0000000000400000-0x00000000006D7000-memory.dmp themida behavioral1/memory/2692-55-0x0000000000400000-0x00000000006D7000-memory.dmp themida behavioral1/memory/2692-56-0x0000000000400000-0x00000000006D7000-memory.dmp themida behavioral1/memory/2692-57-0x0000000000400000-0x00000000006D7000-memory.dmp themida behavioral1/memory/2692-58-0x0000000000400000-0x00000000006D7000-memory.dmp themida behavioral1/memory/2692-59-0x0000000000400000-0x00000000006D7000-memory.dmp themida behavioral1/memory/2692-60-0x0000000000400000-0x00000000006D7000-memory.dmp themida behavioral1/memory/2692-61-0x0000000000400000-0x00000000006D7000-memory.dmp themida behavioral1/memory/2692-62-0x0000000000400000-0x00000000006D7000-memory.dmp themida behavioral1/memory/2692-63-0x0000000000400000-0x00000000006D7000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\svchost.exe" ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\win.com ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\svchost.exe ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe File created C:\Windows\svchost.exe ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe File opened for modification C:\Windows\svchost.exe svchost.exe File opened for modification C:\Windows\mswinsck.ocx svchost.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\mswinsck.ocx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\mswinsck.ocx" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\mswinsck.ocx, 1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3036 ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe 3036 ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe 3036 ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 3036 ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe Token: SeBackupPrivilege 3036 ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3036 ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe 2680 mspaint.exe 2692 svchost.exe 2692 svchost.exe 2680 mspaint.exe 2680 mspaint.exe 2680 mspaint.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3036 wrote to memory of 2680 3036 ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe 28 PID 3036 wrote to memory of 2680 3036 ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe 28 PID 3036 wrote to memory of 2680 3036 ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe 28 PID 3036 wrote to memory of 2680 3036 ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe 28 PID 3036 wrote to memory of 2680 3036 ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe 28 PID 3036 wrote to memory of 2680 3036 ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe 28 PID 3036 wrote to memory of 2680 3036 ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe 28 PID 3036 wrote to memory of 2692 3036 ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe 29 PID 3036 wrote to memory of 2692 3036 ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe 29 PID 3036 wrote to memory of 2692 3036 ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe 29 PID 3036 wrote to memory of 2692 3036 ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe 29 PID 3036 wrote to memory of 2692 3036 ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe 29 PID 3036 wrote to memory of 2692 3036 ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe 29 PID 3036 wrote to memory of 2692 3036 ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe 29 PID 2692 wrote to memory of 1948 2692 svchost.exe 31 PID 2692 wrote to memory of 1948 2692 svchost.exe 31 PID 2692 wrote to memory of 1948 2692 svchost.exe 31 PID 2692 wrote to memory of 1948 2692 svchost.exe 31 PID 2692 wrote to memory of 1948 2692 svchost.exe 31 PID 2692 wrote to memory of 1948 2692 svchost.exe 31 PID 2692 wrote to memory of 1948 2692 svchost.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ef2552356f37762ec0be048a2bc298b7_JaffaCakes118.exe"1⤵
- Modifies Installed Components in the registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2680
-
-
C:\Windows\svchost.exeC:\Windows\svchost.exe 12⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\mswinsck.ocx"3⤵
- Modifies registry class
PID:1948
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105KB
MD59484c04258830aa3c2f2a70eb041414c
SHA1b242a4fb0e9dcf14cb51dc36027baff9a79cb823
SHA256bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5
SHA5129d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0
-
Filesize
1.3MB
MD5ef2552356f37762ec0be048a2bc298b7
SHA17702225fd0272119bb2434ce8489b3c47b0206bc
SHA2568fd3e42477ed5f25dfb66da7d0c7606b47292ccd04c0351dc4b5dd893196713b
SHA512ca826a9eb6b3eaf87c5c73f13b2cca20d16582082f83b72b0b1238000766b0249e84984bc198452bbbfcb671f929ae6b1e6204d856e69cbd215384b7792d29a8