Analysis
-
max time kernel
151s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 09:25
Static task
static1
General
-
Target
f576fb70250aecee421413812165b2cf_JaffaCakes118.exe
-
Size
705KB
-
MD5
f576fb70250aecee421413812165b2cf
-
SHA1
b47c89f5ee4b67e344d7981b3b1b7be96f31f04c
-
SHA256
8e7cb0d2a8b6bef4d3593241f68d25043a559db262b51e332cb2dc5e6dc9d76b
-
SHA512
95817095003b6aeb11ef5080acb0f3af3ead2fb3eb1c1a7e2e3b1c6fcb931f9a96bcae0da1dfdfca3bdc06d60c40da54adb98c23d99f7cd3a2ac25107653adfa
-
SSDEEP
12288:tDJnJM4OpSpnO8kTZlMro5FB4ODBrfpl7NvrZlcGakjKTQF17yPft5QCbX:VJnJM4OqTW34WFB4ODd7NNlqkjxFJcTv
Malware Config
Signatures
-
Expiro payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/5096-61-0x0000000140000000-0x000000014016C000-memory.dmp family_expiro1 behavioral1/memory/4444-152-0x0000000140000000-0x0000000140136000-memory.dmp family_expiro1 -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 7 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exepid process 4444 alg.exe 1556 DiagnosticsHub.StandardCollector.Service.exe 2072 fxssvc.exe 5068 elevation_service.exe 4880 elevation_service.exe 5000 maintenanceservice.exe 1116 msdtc.exe -
Processes:
alg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-776854024-226333264-2052258302-1000 alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-776854024-226333264-2052258302-1000\EnableNotifications = "0" alg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
alg.exef576fb70250aecee421413812165b2cf_JaffaCakes118.exedescription ioc process File opened (read-only) \??\I: alg.exe File opened (read-only) \??\S: alg.exe File opened (read-only) \??\H: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened (read-only) \??\K: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened (read-only) \??\L: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened (read-only) \??\X: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened (read-only) \??\N: alg.exe File opened (read-only) \??\O: alg.exe File opened (read-only) \??\N: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened (read-only) \??\Z: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened (read-only) \??\M: alg.exe File opened (read-only) \??\Q: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened (read-only) \??\S: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened (read-only) \??\T: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened (read-only) \??\E: alg.exe File opened (read-only) \??\H: alg.exe File opened (read-only) \??\R: alg.exe File opened (read-only) \??\V: alg.exe File opened (read-only) \??\E: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened (read-only) \??\M: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened (read-only) \??\K: alg.exe File opened (read-only) \??\W: alg.exe File opened (read-only) \??\X: alg.exe File opened (read-only) \??\O: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened (read-only) \??\R: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened (read-only) \??\J: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened (read-only) \??\V: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened (read-only) \??\J: alg.exe File opened (read-only) \??\L: alg.exe File opened (read-only) \??\T: alg.exe File opened (read-only) \??\U: alg.exe File opened (read-only) \??\Z: alg.exe File opened (read-only) \??\G: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened (read-only) \??\P: alg.exe File opened (read-only) \??\W: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened (read-only) \??\Y: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened (read-only) \??\G: alg.exe File opened (read-only) \??\Q: alg.exe File opened (read-only) \??\Y: alg.exe File opened (read-only) \??\I: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened (read-only) \??\P: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened (read-only) \??\U: f576fb70250aecee421413812165b2cf_JaffaCakes118.exe -
Drops file in System32 directory 64 IoCs
Processes:
alg.exef576fb70250aecee421413812165b2cf_JaffaCakes118.exemsdtc.exedescription ioc process File opened for modification \??\c:\windows\system32\Appvclient.exe alg.exe File opened for modification \??\c:\windows\system32\lsass.exe alg.exe File opened for modification \??\c:\windows\system32\spectrum.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created \??\c:\windows\system32\nnpmochj.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\msdtc.exe alg.exe File created \??\c:\windows\system32\fgbdmmlf.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe alg.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\bnfmpeon.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\svchost.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\dllhost.exe alg.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\vssvc.exe alg.exe File created \??\c:\windows\system32\dhhbohpc.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe alg.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe alg.exe File opened for modification \??\c:\windows\system32\locator.exe alg.exe File opened for modification \??\c:\windows\system32\Agentservice.exe alg.exe File created \??\c:\windows\syswow64\hekoedaa.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\locator.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created \??\c:\windows\system32\nijcldql.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created \??\c:\windows\system32\hklknpad.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\svchost.exe alg.exe File opened for modification \??\c:\windows\system32\spectrum.exe alg.exe File created \??\c:\windows\system32\elgcncdk.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created \??\c:\windows\system32\lmoafpqg.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created \??\c:\windows\system32\onbgckbq.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\lsass.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created \??\c:\windows\system32\hmliadmc.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\vds.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created \??\c:\windows\system32\mbbpicfj.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created \??\c:\windows\system32\oodlcboa.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\vssvc.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\gifanfhh.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe alg.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created \??\c:\windows\system32\ekaflqll.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification \??\c:\windows\system32\searchindexer.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe alg.exe File opened for modification \??\c:\windows\system32\searchindexer.exe alg.exe File opened for modification \??\c:\windows\system32\snmptrap.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created \??\c:\windows\system32\igkfpdgc.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created \??\c:\windows\system32\becpkbah.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\fxssvc.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\msiexec.exe alg.exe File opened for modification \??\c:\windows\system32\snmptrap.exe alg.exe File created \??\c:\windows\system32\eglafbcn.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\alg.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\Appvclient.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\dllhost.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\Agentservice.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\fxssvc.exe alg.exe File opened for modification \??\c:\windows\system32\msiexec.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created \??\c:\windows\system32\perceptionsimulation\noclqphg.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created \??\c:\windows\system32\openssh\amkeblhj.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\wbengine.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
Processes:
f576fb70250aecee421413812165b2cf_JaffaCakes118.exemaintenanceservice.exealg.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\gihphogm.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\lhbjhkab.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clmaedbq.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\program files\google\chrome\Application\110.0.5481.104\elevation_service.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\njlikodj.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe alg.exe File created C:\Program Files\7-Zip\gkooamha.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe alg.exe File created C:\Program Files\7-Zip\jgpijieg.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zG.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created C:\Program Files\dotnet\ddnfppgh.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\program files\google\chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File created \??\c:\program files (x86)\mozilla maintenance service\pmacpaal.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created C:\Program Files\7-Zip\nccafaqk.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe alg.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created \??\c:\program files\google\chrome\Application\110.0.5481.104\pcjhfgbj.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\miqfjfol.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created \??\c:\program files\common files\microsoft shared\source engine\hjmpinqi.tmp alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created C:\Program Files\7-Zip\lncjookl.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe -
Drops file in Windows directory 6 IoCs
Processes:
f576fb70250aecee421413812165b2cf_JaffaCakes118.exealg.exemsdtc.exedescription ioc process File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe alg.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe alg.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe f576fb70250aecee421413812165b2cf_JaffaCakes118.exe File created \??\c:\windows\servicing\hejedhkd.tmp f576fb70250aecee421413812165b2cf_JaffaCakes118.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
fxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
alg.exepid process 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe 4444 alg.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 668 668 -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
f576fb70250aecee421413812165b2cf_JaffaCakes118.exefxssvc.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 5096 f576fb70250aecee421413812165b2cf_JaffaCakes118.exe Token: SeAuditPrivilege 2072 fxssvc.exe Token: SeTakeOwnershipPrivilege 4444 alg.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
alg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" alg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5096
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4444
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1556
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1052
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5068
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4880
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5000
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5fd7bc9b4494dc29518fa32226b3033dc
SHA102ec7bdbdde894b8270fdb6bc9982c884a8b79b6
SHA256a6d5ee5bda9542edd9567f7d5aaac3c3a47f5353233d7bd7ba8dc2539bbee0e3
SHA51225c40e6dbc6642829c38dcf037f922e17f449cba455a17efbeeda4aa85c0ee339b0c93045639964d3b8368dfc5e5f2ca6554dff99cea0970f77e446869921beb
-
Filesize
629KB
MD5da213edee6e29dee1bd9655ed914dc71
SHA1e95bb17eae4f2ef07d1d580a0c14dd5037f9cac2
SHA2565fdd2b61a5b2d02ff83f013904cd666dce5941eaa0436e16e04ad5165d4817d7
SHA5128df26d5c943f357503c9ecd5dad8d782c4f64b06a3a226035b217632f202b2c15eb5454037ba5709d524cf6df4286f8979a9b9fb20ce3aa6a619d3c9b3fd0289
-
Filesize
940KB
MD526f90aa02f1c6f06be07f7d44396c250
SHA1662f0db085fc9e279a82fe4087224b28a58f28f4
SHA256a2489efb37653db1beb9647c32d65cb0e7d4968cf07f512709a5136bfd11beeb
SHA5129aae7eed4aa425beafbfba2eab3ec3589a108475b6cf5cdc893d4a0b4c90d1c0e384a3332b9a253ae9e529ecc4425385de8dd9067f3f417385a022affca0bb85
-
Filesize
1.3MB
MD55c0f3e9bfb61e77f647c76edaed24eb8
SHA1e31672668d3822af49275405bdce660ae9cf219c
SHA2566292405c4c239d41d64b2e19b7981f0a754d831873f6ed82d5bb64bead437022
SHA512ad68ea2e2b628af935ea585849c0dbbcc6461f90595ecffbb6f6646e3a37d55fc7b3765f63ca579de5d1a2f7018304403d8bec362ecfca69e5160a2ed5e70e9b
-
Filesize
410KB
MD523d052b442ffeb9fd1bdcecadb31b489
SHA1beafe79a7a463bde076f32e54660fc0b54efaaf4
SHA2563d7740b7ffca89229747d0add16fe5c35a5ad31f615cacb54f4763bdf939a96d
SHA5128d6a362ed61f1929bade60d5bbc38c5dfdee747520af9c8c2c9602afc413564a4b4e5871bedf04748387f6c6363d320928e50a39ddb9513f4fb67bc3ad466906
-
Filesize
672KB
MD557bbd0ca00e9d6e5cf7e59592ec8f3eb
SHA1d8e686ad4993c68ba4bf9045e9330a55e5c71a01
SHA2566a1b81ce8834be95e949a9ef83e00c5e59c7acfad3576c340d9a3781b07ce6db
SHA512a9de4bc7a0de634fed4a125277ff6c0a4ad8787264d67d5494e4969b2f47e804db23f1e0323d59e987be118033ed9b372612ea9c1ab945f4d287c1fbc622ed72
-
Filesize
4.5MB
MD586bd0f030d8bbd88020df287ef0551a2
SHA1ba4b9ce9349a85251430444a78e0229aab787cdc
SHA2566d331014271d082923a2e466fac37897d08e621954bf3c075b88c8c50554bd84
SHA51269236c24469f8473161533199c31e43145d1312fc9e3365c1e64a89062525df7fff93783ea3c9213dd7bb6d3cfd064e49b18b957a12e44ba898874c7f83632d5
-
Filesize
738KB
MD595ed14dc1955bfb2f449f4dd22301e1d
SHA13630be3214d7867f968a621670f7662c2be99440
SHA256bf451aba18000dd106a117965a22ef582899143a30e31dd4a29a77bdce05c5fa
SHA512b7093f3e8702e3335e808c919fb125e405e88b77f30e1d136f4784c63c5c76ca6db8cc0fee4c5805539f4c5278969bea21fba22c704e696b65a9625ae8831bd5
-
Filesize
23.8MB
MD58c4f9ff3b4b945c24a9d9bf665d17afa
SHA176000da1e48227a38f5a3d52fab90e2b6a395c41
SHA256a25c9f6eabfad4d48c7cd1948d5b9d689e13815302d517b3cb26223d00ffd286
SHA5127e364dc06bf8992ced0834513b2936f77709239ef507c2cd2b3e22555ab434ff2235997937aacef07b32997b4d87428039c9c5f21826f15c77fe02247f55dfc9
-
Filesize
2.5MB
MD576b3f1740cd837fb56bb9d1e51523981
SHA133b3721fff9a17594b03799de752c35e71403af6
SHA256cdd9ca39e2560c0b0b3427c157863d74c715faa9749fcb888eebc43db372a2fb
SHA512f83e84f0b9096ad65741fee55dab44b76f7c6778eb3d9ac3d9cca48f0319f3250bc5f16d1805cf22514fb6db0f3e074d69239d71531a6bb34f6cf8d813d2fc46
-
Filesize
637KB
MD57048625ede7b0b20393ddcaf12480f18
SHA16cfe91119e221799d3c2052a94b283a07ff92eef
SHA256848e468ddd5360a37acbab607c15880735b238f338dd30ec16e587f1bf8b29b4
SHA51216507c17374037304e523bdde32ffbe8c33988f8775d4626af41f344d56c18e02df890f3a6632636902c88f6813ea080319da08d03954c4f71088f5847cc6e76
-
Filesize
2.0MB
MD5a9f14d3ee2358180d5b370d32a77d945
SHA15987eff4c4096b1f707992585526d0904f14e5c5
SHA2568d813091a0fd71b46b08cb11c3a80cf6182cfff32136ed7b03957d074d145d7e
SHA512576f5dbd9f70b8ef1f645416af36709e8f753b93db89828179d8a2c789bb39c205b4a7891cca640504f28fc232acd3a9384082b96b9fe96428742e4cb75449cf
-
Filesize
678KB
MD5bbb4158ffcdf4d5cdb48bc465b227ce3
SHA1e28939c6b78aec1bce76a280abfb72281c987828
SHA256295cc467796dac12833ff45bca14dcbbb596443fe4a72cf891cd872055b266e4
SHA512286e4faedeb93ec6fe3eb35196798e445beb47e7c2c9e89066d335d1b96195e946cb1ae30154eeabd4b3360648c5dc11d96bc3d4b06544e32026320220cac511
-
Filesize
487KB
MD50d5c784ac8a2f4998dc5469b07af1f38
SHA110df10993bb763d565dc106d0f7dd04d13cf960d
SHA25641446ceaafbb04028a7c0601d015f21dd2ba2362552d83e2385ad716dda331a2
SHA512f06eebba0003654984104eb5fc295ed8fcc81cdfdd5beb149bb01246a464790e56f1554529db200e6dde0bcb0bb3f66f946df5237f637496757072a58484d88f
-
Filesize
1.0MB
MD53d6d58fb88c177b14dfbf9ca846e1662
SHA1b7193eb1dd885641f98dc320a4cb1ae6392b5eff
SHA256bea130e6ce51b06dde0a6b3e0887ab0a6db340944a4ef98ac0a814b67640f3b4
SHA512f2a6ca8c394ace43dd4477cc6e261cdfee67134c11f930fb8f4f2e4d19adcf2ef9f94f98e9fcc2b7f24b1344bc8079f61a9befca7e83c50c7b3565a08dfdb7ae
-
Filesize
489KB
MD57c6cac95772c914885e8b33b481eccf4
SHA17b5d22429048b95044f3e8730deae465f6eeb5b0
SHA256353bc0d1c6ef96bd038fec7d69b1fbcb13a078639c4275118f1a7cd8209fe683
SHA512047477a039800e972ba220c778b26d284ba1a601c423df2f835897ab010a3b6f710a4325598f2f5421e397c2cb7d7ac3d54c4bedc610d4b082bcd6dc614b5c5e
-
Filesize
540KB
MD5c3a6be13fc503833f7bd917e0fb5a8de
SHA1dac59553f09118f9c83ed9a845404b7c2f792e69
SHA2564bc5d7cbcedc0384dacb346339fde724989eb475a0ed3eea2174f14bf85af9ba
SHA512e9f2bed981a3bc599768c54d3d24f4123c74bd5da41b0906b0ec00dc6f38860c97ddc11f56c15370d2a4ac5abc06427ad0476132e3b7160f2f0ac3ca701f07bf
-
Filesize
1.1MB
MD57d68553da0bad961b0d28b6520e702f6
SHA18662fb85753d591531fe438884a092cf09b30074
SHA256959c5ca4fff9e9618d14dfd1844d668ac69100bd10719f5469b13ba712425ab7
SHA51208373c0cf4948fa16965f260a18f2bd09f0b0fd3fdac19f14f2237ffd66dd4a34b70ee6fa209b5b7826eae1fe474310ab4e618dcea42c572e0f8237c9a04a902