Analysis
-
max time kernel
169s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 13:41
Static task
static1
General
-
Target
f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe
-
Size
705KB
-
MD5
f5e803f430fcd2bb59b59604d3b42063
-
SHA1
22b93f1ece7ccfb039acf7ff6d164e9ba3977034
-
SHA256
084f787a0c52d0282f9867cb2555ef2ff38185c35f4165115fe6082671623da8
-
SHA512
9742ba227bae6ffaa93ceb823dd2792d3c7e49548c9d6a042c79bc18290d4cd8636e57f2841a9b7832f5ba45b715215ede9f9bb13511a9f434ab69b7bda1b62e
-
SSDEEP
12288:9DJnJM4OpSpnO8kTslsIqrQAq/LE9Eb97BeGdypTRvcoI:lJnJM4OqTWWsIqrQAq/LE9EJ7BeGd46o
Malware Config
Signatures
-
Expiro payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2708-71-0x0000000140000000-0x000000014016C000-memory.dmp family_expiro1 behavioral1/memory/1180-135-0x0000000140000000-0x0000000140136000-memory.dmp family_expiro1 -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 7 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemsdtc.exemsiexec.exepid process 1180 alg.exe 788 DiagnosticsHub.StandardCollector.Service.exe 8 fxssvc.exe 2808 elevation_service.exe 3692 elevation_service.exe 3344 msdtc.exe 4896 msiexec.exe -
Processes:
alg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-776854024-226333264-2052258302-1000 alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-776854024-226333264-2052258302-1000\EnableNotifications = "0" alg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
alg.exef5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exedescription ioc process File opened (read-only) \??\M: alg.exe File opened (read-only) \??\G: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened (read-only) \??\R: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened (read-only) \??\W: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened (read-only) \??\O: alg.exe File opened (read-only) \??\W: alg.exe File opened (read-only) \??\X: alg.exe File opened (read-only) \??\Q: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened (read-only) \??\Y: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened (read-only) \??\K: alg.exe File opened (read-only) \??\Q: alg.exe File opened (read-only) \??\E: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened (read-only) \??\I: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened (read-only) \??\N: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened (read-only) \??\J: alg.exe File opened (read-only) \??\U: alg.exe File opened (read-only) \??\O: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened (read-only) \??\T: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened (read-only) \??\G: alg.exe File opened (read-only) \??\T: alg.exe File opened (read-only) \??\Z: alg.exe File opened (read-only) \??\K: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened (read-only) \??\X: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened (read-only) \??\R: alg.exe File opened (read-only) \??\H: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened (read-only) \??\L: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened (read-only) \??\P: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened (read-only) \??\U: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened (read-only) \??\V: alg.exe File opened (read-only) \??\Y: alg.exe File opened (read-only) \??\M: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened (read-only) \??\E: alg.exe File opened (read-only) \??\H: alg.exe File opened (read-only) \??\L: alg.exe File opened (read-only) \??\N: alg.exe File opened (read-only) \??\S: alg.exe File opened (read-only) \??\V: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened (read-only) \??\I: alg.exe File opened (read-only) \??\P: alg.exe File opened (read-only) \??\J: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened (read-only) \??\S: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened (read-only) \??\Z: f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe -
Drops file in System32 directory 64 IoCs
Processes:
f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exealg.exemsdtc.exedescription ioc process File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\dllhost.exe alg.exe File created \??\c:\windows\system32\klpbopjf.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created \??\c:\windows\system32\perceptionsimulation\bdaepojn.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\lsass.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\lsass.exe alg.exe File opened for modification \??\c:\windows\system32\msiexec.exe alg.exe File opened for modification \??\c:\windows\system32\locator.exe alg.exe File created \??\c:\windows\system32\nnafoopa.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\fxssvc.exe alg.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe alg.exe File opened for modification \??\c:\windows\system32\locator.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\wbengine.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created \??\c:\windows\system32\bjhclacn.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created \??\c:\windows\system32\ifkqdgpe.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created \??\c:\windows\system32\lcjfaebk.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\Agentservice.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created \??\c:\windows\system32\kncbmnec.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created \??\c:\windows\system32\bknhhonf.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\msdtc.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created \??\c:\windows\system32\iqjifajm.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe alg.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe alg.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File created \??\c:\windows\system32\nobkedhb.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\adnenbea.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\alg.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\dllhost.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\svchost.exe alg.exe File opened for modification \??\c:\windows\system32\Agentservice.exe alg.exe File opened for modification \??\c:\windows\system32\searchindexer.exe alg.exe File opened for modification \??\c:\windows\system32\fxssvc.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\msiexec.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\spectrum.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created \??\c:\windows\system32\bdobplpj.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\vds.exe alg.exe File created \??\c:\windows\system32\openssh\nceiegaj.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe alg.exe File opened for modification \??\c:\windows\system32\snmptrap.exe alg.exe File opened for modification \??\c:\windows\system32\vssvc.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\searchindexer.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\oigjjein.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created \??\c:\windows\system32\diagsvcs\fbdmmjcb.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created \??\c:\windows\system32\pjmajehl.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created \??\c:\windows\system32\nhnmcfid.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe alg.exe File opened for modification \??\c:\windows\system32\vssvc.exe alg.exe File opened for modification \??\c:\windows\system32\wbengine.exe alg.exe File created \??\c:\windows\system32\dfdjpkjk.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\svchost.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\Appvclient.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\Appvclient.exe alg.exe File created \??\c:\windows\system32\jjcfgdoa.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created \??\c:\windows\system32\wbem\pcfbphak.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\msdtc.exe alg.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe alg.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
Processes:
f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exealg.exedescription ioc process File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe alg.exe File created \??\c:\program files (x86)\mozilla maintenance service\hjdjfejk.tmp alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created \??\c:\program files\windows media player\dhnjeinn.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe alg.exe File created \??\c:\program files\common files\microsoft shared\source engine\obhlbdfm.tmp alg.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe alg.exe File created C:\Program Files\7-Zip\lncjookl.tmp alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created C:\Program Files\dotnet\jfjkgccl.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\jogfcpeh.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\ink\mgecidfd.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pgildlkb.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\ink\mnmjadqg.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\ink\occlljkq.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\cikbqmip.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7z.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\gkooamha.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\program files\google\chrome\Application\110.0.5481.104\elevation_service.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\kgacdccg.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\nnbpngba.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\ddnfppgh.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\nccafaqk.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\jgpijieg.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\jkgaipki.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created C:\Program Files\7-Zip\jgpijieg.tmp alg.exe File created C:\Program Files\7-Zip\nccafaqk.tmp alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe -
Drops file in Windows directory 6 IoCs
Processes:
msdtc.exef5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exealg.exedescription ioc process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File created \??\c:\windows\servicing\dkdnacch.tmp f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe alg.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe alg.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
fxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
alg.exepid process 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe 1180 alg.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 672 672 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exefxssvc.exealg.exemsiexec.exedescription pid process Token: SeTakeOwnershipPrivilege 2708 f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe Token: SeAuditPrivilege 8 fxssvc.exe Token: SeTakeOwnershipPrivilege 1180 alg.exe Token: SeSecurityPrivilege 4896 msiexec.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
alg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" alg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1180
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:788
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1048
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:8
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2808
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3692
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3344
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
629KB
MD5e9024cc3ebe62d0ef5665438a5189593
SHA1bb85b88eb140ddd0e43aae1a9e7a2ba47d30421b
SHA2567937452bd1f279d36be3ee64d96c3ffd272a028ca94864cb81452adcb15aca40
SHA5128fb379cfa1972c8888ec59a8a1b9fa9db944636459cbcf7d563c8bcb4216430df1cefd2803071b45602c983cfd9e10a80a97afb2d1a438c6d56b2bc09530008a
-
Filesize
940KB
MD517fe65e9797e4b6bfe8381c696a583b8
SHA1f69370d3c1e8c14c9fc2aec620832653bef78008
SHA2565c8e88d20f3bd36a0ef4ff34c966edd91700f8caab47ba76b9193ddcaacc8216
SHA512b7adf5df40c635b78a342bb0433acda6c9041f84a319b49969df33733a4ddeec94f9af88ef9964e713eb8335a164b18e075b7957fa02a880733e5cf6737b67be
-
Filesize
1.3MB
MD5333cde0b5a3ef63e3f3ff556dcf69b21
SHA10d29c082891af5ab300d1b8b2ba67beb618941d9
SHA2566675b041d536794227dd306aab71a9be8ea3d1e7cfe8943e35c1849fe2147fdb
SHA512714cdd9b21fd2779c5e7c134df3bc54946aa21898f94bd826aebb540fff2e22980b878923fbf59d0ebe1b69e6dd332de528ee8bd0e1669711ba43b48f5d3d3c2
-
Filesize
1.1MB
MD5fb8aff3fe4580b8854c50158b0676a3b
SHA1d09c20b2899bd55b8aa81f8dd8208abeba2c48f1
SHA256da21243cc5490ac66eae80bcd14ace01031681d46878d3b337cb151bfaaa2f64
SHA5125ab23c2c3d79ca6f6653bf1e9793c97e198bc187aeb828f483f2499f60ddf79adb2b543e60b1583ec2c466218837048d50b813bdcc87f1496e90a49c239474d2
-
Filesize
410KB
MD52930287660243b5b92a6633bb775297f
SHA1ae4c780a29374344c1c4b3662864fa7aaf38cd79
SHA256d1b26e36ecda068173e4f1d8707b1dce5b843a7d2ed1f7b89df6b07b4154c244
SHA512bdf818efa67126f60190b60c382d6bba2de431a888025315b780f06378c166ee0649ba013ef48405d680277f1fd9f22d636f4c16a8acef65e319e358ea237cf7
-
Filesize
672KB
MD57e36c90f774b89dc10cf070498d82196
SHA1ea0d91fb0846f4dfa4dfd33a987dd46fb17c6bab
SHA256c4d012039166dc4c53228adec243ccb9bf53e9fa7bc2dbde5e5c811ca030de80
SHA512735ae32f003d9210fcf83b49a66882bb82e1c8e0c03cc4209f7d1563737a5242a9d86316a39116d36d8da6474734a0c334cc9e565fbeb8d5d87848b20f8d391a
-
Filesize
4.5MB
MD548b4f58568be0bc76a31bca42c89608d
SHA17031eb790c4ba3983338492a7d74d8b2d5d8b6fe
SHA2569898e14e098676b1101d061ea1244fd0d5b5d3fb257ca0f94973f53ea51c2029
SHA512c5164814712ce6e2b5b4a8d593c8f4cb49ff36a78fd40a435dca935edca225fd6a7631b459dbf8121f9b505ff1945859e20f65d373ac938b8d910cf2825f7422
-
Filesize
738KB
MD58596c6a9e61740e371b829f900fa9c48
SHA136febda21bd1ee56d64538ad8a5f79760304dfc6
SHA256b55d9a6d0bfcfb4aed026ea984223066baf0884e49f9d908aab2ef033932cec3
SHA512f8563085e048d4d4ca920711e9748a5e89d50f7542b11f85fa2febabceca629dc848afd61d7fb29422ebffeef4eb02588eea872db252618260ffc47989427fbe
-
Filesize
23.8MB
MD5fbccf125d51fe0a761949300453c88d2
SHA1588e8dac53ff6917459287f744f95acc144d2aec
SHA25637879ddbd57de04b167fcd838d3ee322abe486aa97823a02e41802ea46779967
SHA512f7ab38b19afab2ff1a321b5e7f20358ed7dae6fd7f1f0349b21ec505b8840244544168be9811df2c74fd59f510be9487b10e3466c2738a21a0266af8db2dfdfa
-
Filesize
2.5MB
MD5e030e9eb118315318ec3089062937d88
SHA1beea9de7223d048c7d30fd83cd1300133d0b1c61
SHA256482be16853f7dce0b351102bd3a6040ebe40fce5136f7988a5c205cec5177262
SHA5120afda596f53f06a3466fb22d8d78ce9560af5ca9edbd85c7466ff3d643c029b48e63cb606e3cd9963fdc924fb9b5e2e32666b7d20404ab3d197c99ed8f359ad2
-
Filesize
2.0MB
MD52decc1a4d41f890591a0396ea351d4bb
SHA1dfb1af01c73f8532f284e169656579396f77b36c
SHA256db69b1874aded596550a3f0c766598b6dd67b5a4d7a4b7056dbe27ea5de1cda9
SHA5125bb9d8905e125cb0b5ad91a27538fb9345960d3f631088917136e55078404169683e21035234f370c88dd1b0d4008f10e0d7363641e635e5dee1cd239acf9c32
-
Filesize
678KB
MD5bf9d5894e0dee248b9da7a8e2b719aca
SHA16483dcf948b792493bc35b027cdf8bad62b2533b
SHA2562823706e1dd72296462b7ed85cb827a796b67fd64c13aa37c9273d0962f29e75
SHA512d3f02ed02ce6dcbf2bbadc32c41226c89bd1e4614e32c54146b25f9e0a8e2c2843eeb523e97f9d7312a758c38c7c9943752c51ea61c8aeb1fc4ab1a986c5ca13
-
Filesize
487KB
MD5ed6debd678960acf2543a0e65acab077
SHA1bdef1655ba7501d110de4f51f59b427fe69100d0
SHA25605256ed56a94a9daf6dcdb2088d3b7440e00c43d9c50bf2fdbd2e0aaab2369c3
SHA5129a25a7796e0d2e55556b5a36f0bbdf0e2439404ecf3966ff4027e6e46af6fc7467e02be375c94250150fa74a7aeb2c378e4ceec6a77a022c0b41f39ab03de5f5
-
Filesize
1.0MB
MD5eb229355a3df44551eee45d34cb16dad
SHA1e38afef85034a1e1b54095634126f049d27d1434
SHA2564a80663fddfec69102497e79e7b6ea4ded9dac07c088e8ac04a6bb6896a4338c
SHA51245419fa96f5cc2ce38367c5a5e022f4a1871fec049961b52beaf1108a0ef3f151f0be11e48775078a12b46ad1214c75a414954ee5a8f4c9ae1b352d38b12e519
-
Filesize
489KB
MD57ef56091aa7fad52ac6ad0e085c52d7b
SHA1084c29fb1d0f4048a287c3da85b5ded7d1880271
SHA2565af6894a84a17eacbc23ffa27a324ae24f18d4b62024d3bdbc35c1c2946ec015
SHA51234843577811fe870e5cc7bb57e07cf2019648bd7c2cf8c217a63f0e41ecc88654ecfec0202a7816c3c5d604d54787233f3146b3b973bd9ca9d2f62e1b8267572
-
Filesize
540KB
MD5f867682db04427536796e09a21bd64e1
SHA13aee779473c77528fb8920b1b88b9d0b6e102c74
SHA25632bf17506988efe78d89ddb69c44c13d13c57d07a85e657272ab1946d6b5a01f
SHA512123a6c9e931515a1a798e338073ab4d772b93ac73e31137d9f60039d164246db1f0e5c3e6e86e876a1bd64682c1e7618c790b011603aad72dbdee50c9f623c3c
-
Filesize
463KB
MD5ddbff94a22b8acd4d4f7a5c0ef47f839
SHA16d78a746091545882376fad6f908f9ef25134041
SHA2568c744e822d8225a444ccdeb65c2f48e5d91cc2fa09edb178feef402cb0e63774
SHA51245a770fe2ae7635ecdfa357b4ac9669d08425fafab2d028cb524885174985d93cf041f9d948b291dd092639a5d18c84d47efe5e6ff5c73c6700df5a03e2e2d58
-
Filesize
1.9MB
MD57f01b0c7f5baa130bd5aa91057989bde
SHA14a489ce49e2a47eca1abac52148defd8e09ffd3e
SHA256a6897f28ccf77cf9f010460a53585d64087353fece81305d4b6c0db9a114531f
SHA5125932c81b50de10d522ec4caa5f2ef45a8461dd81e54ce086f6610e3b35c27677f1c4584f3304e580280d8841ae28aca60e62cc047d4dcdc62f4ea580c0aa1e2c
-
Filesize
637KB
MD5e596d8b6baf596acace85ae7cade698f
SHA1ea21d9240f6065c34b55aa7fcba807db7bdd51b1
SHA25671e9ab4222b094dd707f921d259f5542631a8447afd93d6f9826509474f39a43
SHA5120213c113d0a680897d66630027604a5ab4cf4b2289e23944b14cc942811117eba182916fc5b0e9fd8aae8d373ddc3869f84bdb7ab22e589c257db81bfd1cf8f2
-
Filesize
1.1MB
MD55509f3585c29c6e12f9816ef5a737c94
SHA1e93b5ee8a3dbb95a27eb2471f0d343bd927efce4
SHA256dd715cc386effa8edf0f0d1ad6994fe6357d5b870b52cc1b49aa289dec4ac7c5
SHA5121b5a882a585d741d25a18c07a496ba170e125e334b283cd0585f3ba935ea09bbe29066428ab85371fb2c0dc035db3cbbcb4fa9b934d3b63d1d1520f53a61e13f