c0d06487a7c9511ad8e9bfa9af21146d8a21db596e9e0033d238ef5133c9758f

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe
Size

5.1MB
MD5

f1ca7c616978920afb05b27a3356ce86
SHA1

2063e7acd5b5592aeaf9ddb90fcc4526d8e1bc39
SHA256

c0d06487a7c9511ad8e9bfa9af21146d8a21db596e9e0033d238ef5133c9758f
SHA512

f28ea9e13fc93073bd8c3736e3dd0221919319c70ce286e1191c115061d89bace831f6bf7ef83688b995178d23343159ae7d8041c5d694ce33c023484f50b432
SSDEEP

98304:PaFb8aYUzS65+x1SG1Ial278WzX5jpNqCCsMrOc1R3FcwsGIg6IdQBUpQtZ8rXvo:yAaYcS65+x1SVVqCCsMrOl7Z

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe
1888	jq.exe
1480	jq.exe
1540	jq.exe

Loads dropped DLL 11 IoCs

pid	Process
2144	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe
1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe
1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe
1236	Process not Found
1236	Process not Found
1236	Process not Found
1236	Process not Found
1436	cmd.exe
1676	cmd.exe
980	cmd.exe
1236	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2572	WMIC.exe
Token: SeSecurityPrivilege	2572	WMIC.exe
Token: SeTakeOwnershipPrivilege	2572	WMIC.exe
Token: SeLoadDriverPrivilege	2572	WMIC.exe
Token: SeSystemProfilePrivilege	2572	WMIC.exe
Token: SeSystemtimePrivilege	2572	WMIC.exe
Token: SeProfSingleProcessPrivilege	2572	WMIC.exe
Token: SeIncBasePriorityPrivilege	2572	WMIC.exe
Token: SeCreatePagefilePrivilege	2572	WMIC.exe
Token: SeBackupPrivilege	2572	WMIC.exe
Token: SeRestorePrivilege	2572	WMIC.exe
Token: SeShutdownPrivilege	2572	WMIC.exe
Token: SeDebugPrivilege	2572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2572	WMIC.exe
Token: SeRemoteShutdownPrivilege	2572	WMIC.exe
Token: SeUndockPrivilege	2572	WMIC.exe
Token: SeManageVolumePrivilege	2572	WMIC.exe
Token: 33	2572	WMIC.exe
Token: 34	2572	WMIC.exe
Token: 35	2572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2572	WMIC.exe
Token: SeSecurityPrivilege	2572	WMIC.exe
Token: SeTakeOwnershipPrivilege	2572	WMIC.exe
Token: SeLoadDriverPrivilege	2572	WMIC.exe
Token: SeSystemProfilePrivilege	2572	WMIC.exe
Token: SeSystemtimePrivilege	2572	WMIC.exe
Token: SeProfSingleProcessPrivilege	2572	WMIC.exe
Token: SeIncBasePriorityPrivilege	2572	WMIC.exe
Token: SeCreatePagefilePrivilege	2572	WMIC.exe
Token: SeBackupPrivilege	2572	WMIC.exe
Token: SeRestorePrivilege	2572	WMIC.exe
Token: SeShutdownPrivilege	2572	WMIC.exe
Token: SeDebugPrivilege	2572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2572	WMIC.exe
Token: SeRemoteShutdownPrivilege	2572	WMIC.exe
Token: SeUndockPrivilege	2572	WMIC.exe
Token: SeManageVolumePrivilege	2572	WMIC.exe
Token: 33	2572	WMIC.exe
Token: 34	2572	WMIC.exe
Token: 35	2572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1840	WMIC.exe
Token: SeSecurityPrivilege	1840	WMIC.exe
Token: SeTakeOwnershipPrivilege	1840	WMIC.exe
Token: SeLoadDriverPrivilege	1840	WMIC.exe
Token: SeSystemProfilePrivilege	1840	WMIC.exe
Token: SeSystemtimePrivilege	1840	WMIC.exe
Token: SeProfSingleProcessPrivilege	1840	WMIC.exe
Token: SeIncBasePriorityPrivilege	1840	WMIC.exe
Token: SeCreatePagefilePrivilege	1840	WMIC.exe
Token: SeBackupPrivilege	1840	WMIC.exe
Token: SeRestorePrivilege	1840	WMIC.exe
Token: SeShutdownPrivilege	1840	WMIC.exe
Token: SeDebugPrivilege	1840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1840	WMIC.exe
Token: SeRemoteShutdownPrivilege	1840	WMIC.exe
Token: SeUndockPrivilege	1840	WMIC.exe
Token: SeManageVolumePrivilege	1840	WMIC.exe
Token: 33	1840	WMIC.exe
Token: 34	1840	WMIC.exe
Token: 35	1840	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1840	WMIC.exe
Token: SeSecurityPrivilege	1840	WMIC.exe
Token: SeTakeOwnershipPrivilege	1840	WMIC.exe
Token: SeLoadDriverPrivilege	1840	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 1628	2144	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	28
PID 2144 wrote to memory of 1628	2144	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	28
PID 2144 wrote to memory of 1628	2144	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	28
PID 1628 wrote to memory of 2560	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	29
PID 1628 wrote to memory of 2560	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	29
PID 1628 wrote to memory of 2560	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	29
PID 2560 wrote to memory of 2764	2560	cmd.exe	32
PID 2560 wrote to memory of 2764	2560	cmd.exe	32
PID 2560 wrote to memory of 2764	2560	cmd.exe	32
PID 2560 wrote to memory of 2636	2560	cmd.exe	33
PID 2560 wrote to memory of 2636	2560	cmd.exe	33
PID 2560 wrote to memory of 2636	2560	cmd.exe	33
PID 1628 wrote to memory of 2976	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	34
PID 1628 wrote to memory of 2976	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	34
PID 1628 wrote to memory of 2976	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	34
PID 2976 wrote to memory of 2572	2976	cmd.exe	36
PID 2976 wrote to memory of 2572	2976	cmd.exe	36
PID 2976 wrote to memory of 2572	2976	cmd.exe	36
PID 2976 wrote to memory of 2704	2976	cmd.exe	37
PID 2976 wrote to memory of 2704	2976	cmd.exe	37
PID 2976 wrote to memory of 2704	2976	cmd.exe	37
PID 1628 wrote to memory of 2980	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	39
PID 1628 wrote to memory of 2980	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	39
PID 1628 wrote to memory of 2980	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	39
PID 2980 wrote to memory of 1840	2980	cmd.exe	41
PID 2980 wrote to memory of 1840	2980	cmd.exe	41
PID 2980 wrote to memory of 1840	2980	cmd.exe	41
PID 2980 wrote to memory of 2420	2980	cmd.exe	42
PID 2980 wrote to memory of 2420	2980	cmd.exe	42
PID 2980 wrote to memory of 2420	2980	cmd.exe	42
PID 1628 wrote to memory of 2204	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	43
PID 1628 wrote to memory of 2204	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	43
PID 1628 wrote to memory of 2204	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	43
PID 2204 wrote to memory of 2788	2204	cmd.exe	45
PID 2204 wrote to memory of 2788	2204	cmd.exe	45
PID 2204 wrote to memory of 2788	2204	cmd.exe	45
PID 2204 wrote to memory of 2796	2204	cmd.exe	46
PID 2204 wrote to memory of 2796	2204	cmd.exe	46
PID 2204 wrote to memory of 2796	2204	cmd.exe	46
PID 1628 wrote to memory of 2876	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	47
PID 1628 wrote to memory of 2876	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	47
PID 1628 wrote to memory of 2876	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	47
PID 2876 wrote to memory of 764	2876	cmd.exe	49
PID 2876 wrote to memory of 764	2876	cmd.exe	49
PID 2876 wrote to memory of 764	2876	cmd.exe	49
PID 2876 wrote to memory of 552	2876	cmd.exe	50
PID 2876 wrote to memory of 552	2876	cmd.exe	50
PID 2876 wrote to memory of 552	2876	cmd.exe	50
PID 1628 wrote to memory of 1232	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	51
PID 1628 wrote to memory of 1232	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	51
PID 1628 wrote to memory of 1232	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	51
PID 1232 wrote to memory of 1424	1232	cmd.exe	53
PID 1232 wrote to memory of 1424	1232	cmd.exe	53
PID 1232 wrote to memory of 1424	1232	cmd.exe	53
PID 1232 wrote to memory of 1992	1232	cmd.exe	54
PID 1232 wrote to memory of 1992	1232	cmd.exe	54
PID 1232 wrote to memory of 1992	1232	cmd.exe	54
PID 1628 wrote to memory of 3008	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	57
PID 1628 wrote to memory of 3008	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	57
PID 1628 wrote to memory of 3008	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	57
PID 1628 wrote to memory of 1936	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	59
PID 1628 wrote to memory of 1936	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	59
PID 1628 wrote to memory of 1936	1628	f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe	59
PID 1936 wrote to memory of 1436	1936	cmd.exe	61

C:\Users\Admin\AppData\Local\Temp\f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\yuzu\f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\yuzu\f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\system32\cmd.exe
    cmd.exe /c echo [system] | find /v "" > C:\Users\Admin\AppData\Local\Temp\system.ini
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo [system] "
      4⤵
      PID:2764
  - - C:\Windows\system32\find.exe
      find /v ""
      4⤵
      PID:2636
- - C:\Windows\system32\cmd.exe
    cmd.exe /c wmic OS get OSArchitecture /format:list | find /v "" >> C:\Users\Admin\AppData\Local\Temp\system.ini
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic OS get OSArchitecture /format:list
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2572
  - - C:\Windows\system32\find.exe
      find /v ""
      4⤵
      PID:2704
- - C:\Windows\system32\cmd.exe
    cmd.exe /c wmic cpu get Name /format:list | find /v "" >> C:\Users\Admin\AppData\Local\Temp\system.ini
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get Name /format:list
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1840
  - - C:\Windows\system32\find.exe
      find /v ""
      4⤵
      PID:2420
- - C:\Windows\system32\cmd.exe
    cmd.exe /c wmic cpu get NumberOfLogicalProcessors /format:list | find /v "" >> C:\Users\Admin\AppData\Local\Temp\system.ini
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get NumberOfLogicalProcessors /format:list
      4⤵
      PID:2788
  - - C:\Windows\system32\find.exe
      find /v ""
      4⤵
      PID:2796
- - C:\Windows\system32\cmd.exe
    cmd.exe /c wmic cpu get MaxClockSpeed /format:list | find /v "" >> C:\Users\Admin\AppData\Local\Temp\system.ini
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get MaxClockSpeed /format:list
      4⤵
      PID:764
  - - C:\Windows\system32\find.exe
      find /v ""
      4⤵
      PID:552
- - C:\Windows\system32\cmd.exe
    cmd.exe /c wmic memorychip get Capacity /format:list | find /v "" >> C:\Users\Admin\AppData\Local\Temp\system.ini
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic memorychip get Capacity /format:list
      4⤵
      PID:1424
  - - C:\Windows\system32\find.exe
      find /v ""
      4⤵
      PID:1992
- - C:\Windows\system32\cmd.exe
    cmd.exe /c echo [latest] > C:\Users\Admin\AppData\Local\Temp\launcher.ini
    3⤵
    PID:3008
- - C:\Windows\system32\cmd.exe
    cmd.exe /c for /f %l in ('C:\Users\Admin\AppData\Local\Temp\jq.exe .tag_name C:\Users\Admin\AppData\Local\Temp\yuzulauncher.json') do echo version=%l >> C:\Users\Admin\AppData\Local\Temp\launcher.ini
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jq.exe .tag_name C:\Users\Admin\AppData\Local\Temp\yuzulauncher.json
      4⤵
      Loads dropped DLL
      PID:1436
    - - C:\Users\Admin\AppData\Local\Temp\jq.exe
        
        C:\Users\Admin\AppData\Local\Temp\jq.exe .tag_name C:\Users\Admin\AppData\Local\Temp\yuzulauncher.json
        5⤵
        Executes dropped EXE
        
        PID:1888
- - C:\Windows\system32\cmd.exe
    cmd.exe /c for /f %l in ('C:\Users\Admin\AppData\Local\Temp\jq.exe .assets[0].browser_download_url C:\Users\Admin\AppData\Local\Temp\yuzulauncher.json') do echo url=%l >> C:\Users\Admin\AppData\Local\Temp\launcher.ini
    3⤵
    PID:1696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jq.exe .assets[0].browser_download_url C:\Users\Admin\AppData\Local\Temp\yuzulauncher.json
      4⤵
      Loads dropped DLL
      PID:1676
    - - C:\Users\Admin\AppData\Local\Temp\jq.exe
        
        C:\Users\Admin\AppData\Local\Temp\jq.exe .assets[0].browser_download_url C:\Users\Admin\AppData\Local\Temp\yuzulauncher.json
        5⤵
        Executes dropped EXE
        
        PID:1480
- - C:\Windows\system32\cmd.exe
    cmd.exe /c for /f %l in ('C:\Users\Admin\AppData\Local\Temp\jq.exe .assets[0].size C:\Users\Admin\AppData\Local\Temp\yuzulauncher.json') do echo lsize=%l >> C:\Users\Admin\AppData\Local\Temp\launcher.ini
    3⤵
    PID:1364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jq.exe .assets[0].size C:\Users\Admin\AppData\Local\Temp\yuzulauncher.json
      4⤵
      Loads dropped DLL
      PID:980
    - - C:\Users\Admin\AppData\Local\Temp\jq.exe
        
        C:\Users\Admin\AppData\Local\Temp\jq.exe .assets[0].size C:\Users\Admin\AppData\Local\Temp\yuzulauncher.json
        5⤵
        Executes dropped EXE
        
        PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6A9C.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\launcher.ini

Filesize
30B

MD5
c6ecce3736770f1673c8c0482df03228

SHA1
929882f968b18392ac2d14d9bbeb00d27583069b

SHA256
a709e33daf759a9b6971f14ffcccf91fbbe044133caa034dcf5a507b17899e68

SHA512
5503632a8dd4249df5a6ed88a222308de6993384d6f85eefd408e977c92653987cb85eb257ed760a6620809deddd2dd2fadb53aec793104f627057678ad9d00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\launcher.ini

Filesize
157B

MD5
b50831bd01de89d689eb3a89bb4ae534

SHA1
fac0efd5e79832e57d157e40e0f8e526e205ded1

SHA256
ea2f0a3e75feb867eb14009a8b82cded2a157de85859f7419acd4a8820208c88

SHA512
1d9db7a837e308ee16a7b3fd2f1c10b1f8c3349937456e502d521688e40f3e03a9a1285841f368964222b22c16441848d8e19c99b689dddc229cf67469e5c63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\launcher.ini

Filesize
173B

MD5
200a09c5369b58929ef4817fc0f602d8

SHA1
ea14320f8b1560a129d78eb48ab445e65cc37d31

SHA256
934b68065957451b3ef1354e46cf931e07e0c659f53094bdd1e30c486d8402ae

SHA512
a16492400bde2dea1cc1daabb0a42726843eab85baa451d93b10747f63d49beec885b73d72ff7aa512c936ece86985e06c9653408a1595f6ab4e079092b36f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\logo.png

Filesize
40KB

MD5
003351041fbf9d30fc98be74bf34aa09

SHA1
84c127ffb76abf67fa328e12adad1134b2311b7a

SHA256
9e9b2a35ba5dcc5c3cee7b4c00bdfd53cd520a1ecae4074107b110d95a125b88

SHA512
57c3dc6ba28a85e9c1083c2bdaac89c9a5410e493d40c850df2f0a48e0728c9658ca5e2d7c9770d1a2c51fa3d90a68031248f278d73e0c4d84176cf9d17fe71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.ini

Filesize
11B

MD5
8c66f68bbb68cf374b7851f04669f074

SHA1
67d8c4f9c390c5c6f1db175fb72418509089d42a

SHA256
be2a6d851ac763a566bdffc7efe5f3559fe14f048697f26e254f9cb625af9a7d

SHA512
9a928d7a7a57a52b9d203547c1714ff2db19a4229eb5ee118005a62ad95f355655fd649dc13d455330cf860aeeca270b92a41bd76745cc5e0fb324fc92411de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.ini

Filesize
50B

MD5
b97845e0fd15ce90ec12b1b8a3e90861

SHA1
b6d281c7ef0486727a6cb6f7470ea3d2f51b9063

SHA256
3ecfa7c5b9aad001b054692f5fb735bb45f2d7d00d2b89b16063cd5c9ade5662

SHA512
d75ae89cff738d37aae398f67ed2af921309ff2fc06fb748c9e8fd24c8bce661447fe3e86745c49d6955003ef35bbbe083bb8132c26429d3b8f8fc53525c7c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.ini

Filesize
105B

MD5
03bf36dacf9ed0e4edd3a73290cc3aa7

SHA1
ad49690fb9c9941e6a74248dd1f9406b58f5a9a6

SHA256
3f67a08b3654e77fd78d6493c702cd0a7325d25c8da21a67de4f5aa360250165

SHA512
ec3a0df2cfbb5d87b186d0cca7954d3be915591303675e607c780f56b570eac29b9f19f3fe702b138ac2a80d8fb6c513061202e9a2d6c92b25282b1a39a9d2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.ini

Filesize
150B

MD5
4913a56ed17d0ccbdc920fad3c1c1c46

SHA1
588dd47af295fd0f8f44448dae8bf644e402013e

SHA256
ec63e4d54a05e5ef7a8cb25aa98faf5fdd20e16fcd31c1ecbd83b89654d526d0

SHA512
7a4a31938c090dcd506d81adf6ae6c88b5a07cf0d39925825c13795f7000618a0d77a77f4c4a4b1254164630131761f836d798921764d014e22b93a3b23942aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.ini

Filesize
186B

MD5
e2e2a6a65b400f4e6f5ff6dbe72edf3a

SHA1
7e02bd3bac9dedae2fefc03963ca32b4a8b6fb06

SHA256
69c992f8a7a89cd18df2dacc500d14352e1de8b210d86d21139c47ccf73ca0c4

SHA512
f12e53c6c4fa1e752cefba7f4b0234910cd465a7a2e74a922bf8bd2b9021d24d58f784a0e06a0387f64067d32f80bfa2e0a7f75b0820fc725307ad79548e101a

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.ini

Filesize
223B

MD5
34b49e1055c9766f3d379d1370def0db

SHA1
b7f6185bc1ce7ebdc979844a1bc00862bfb934a3

SHA256
845a9b0e100c45f330a041be91301681bcae81c9fdeb6969d6372917ee73b203

SHA512
af25b0bda4693bb565b34ce6fda5351558bcabd0d1af34f15c1d6b681802ec3595bd85177c8d1ad0b8525bfeccca7c5307bbe5df86b67dff9cf1f2c63ddc700d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuzulauncher.json

Filesize
3KB

MD5
89753f9619e85d28471be1144e68914a

SHA1
07de6110cc1405f8309084d3effc77cd2ec15c77

SHA256
27088f64efc92c02d34e53dbb25ff9260cb2621f5dfe58774f1722cbc773c389

SHA512
607290a6c975a053ffff0b6497f099931ec357d8926edab932160f1e11310907bf54bd773d0a9ed8ebc5d9a42d8f727173ae7e59326d43c70d93a51bedcbae19

Download Submit
\Users\Admin\AppData\Local\Temp\jq.exe

Filesize
3.4MB

MD5
af2b0264f264dde1fe705ca243886fb2

SHA1
2b7ae7b902aa251b55f2fd73ad5b067d2215ce78

SHA256
a51d36968dcbdeabb3142c6f5cf9b401a65dc3a095f3144bd0c118d5bb192753

SHA512
58127bae7b27d963cb4ec19779e5ab0938db69190ec66985694320af787e696a8acd490b967255a7fed4c28ec6a2c2bfcd6efbb5b85ec2a950b3e318113d5cde

Download Submit
\Users\Admin\AppData\Local\yuzu\f1ca7c616978920afb05b27a3356ce86_JaffaCakes118.exe

Filesize
5.1MB

MD5
f1ca7c616978920afb05b27a3356ce86

SHA1
2063e7acd5b5592aeaf9ddb90fcc4526d8e1bc39

SHA256
c0d06487a7c9511ad8e9bfa9af21146d8a21db596e9e0033d238ef5133c9758f

SHA512
f28ea9e13fc93073bd8c3736e3dd0221919319c70ce286e1191c115061d89bace831f6bf7ef83688b995178d23343159ae7d8041c5d694ce33c023484f50b432

Download Submit
memory/1480-105-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/1540-111-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/1888-99-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download