8e7eba92ab038f6a5ae941c56c76cb88152c82f9077d4e86131457a9b196c080

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 16:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe
Size

199KB
MD5

ffbcc78612502da6d4b7061ec1487fcd
SHA1

8d28ceb24558aadca7b9e0bac15a8e2615182945
SHA256

8e7eba92ab038f6a5ae941c56c76cb88152c82f9077d4e86131457a9b196c080
SHA512

31673ecbd58a79f36f6ee881300548a25bbfd2690b307de2a13eb48c35e11f481c8a00214ab0beca196a4cdcaf6d9589526ed0f2de13d33bd5d669d714343ee1
SSDEEP

6144:sqoD6y5v1FrCTViWtfoV21ehSiuODnxwt:sqq6y5vfslxoYEhSLOTy

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	svshost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	svshost.exe

Executes dropped EXE 2 IoCs

pid	Process
2540	svshost.exe
2748	svshost.exe

Loads dropped DLL 3 IoCs

pid	Process
2800	regsvr32.exe
2568	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe
2748	svshost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\windows\\SysWOW64\\svshost.exe"	svshost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	svshost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\windows\SysWOW64\svshost.exe	attrib.exe
File opened for modification	C:\windows\SysWOW64\msinet.ocx	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe
File opened for modification	C:\windows\SysWOW64\svshost.exe	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2184 set thread context of 2568	2184	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	29
PID 2540 set thread context of 2748	2540	svshost.exe	33

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	svshost.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.internetteara.net/"	svshost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1\ = "132497"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\ = "Internet Control General Property Page Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\ = "Microsoft Internet Transfer Control 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\ = "Microsoft Internet Transfer Control, version 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\windows\\SysWow64\\msinet.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ = "IInet"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ = "DInetEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ = "Microsoft Internet Transfer Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\ = "Microsoft Internet Transfer Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID\ = "InetCtls.Inet.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID\ = "InetCtls.Inet"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\windows\\SysWow64\\msinet.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS\ = "2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32\ = "C:\\windows\\SysWow64\\msinet.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ = "DInetEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}"	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe
Token: SeDebugPrivilege	2540	svshost.exe
Token: SeDebugPrivilege	2748	svshost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2568	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe
2748	svshost.exe
2748	svshost.exe
2748	svshost.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2712	2184	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	28
PID 2184 wrote to memory of 2712	2184	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	28
PID 2184 wrote to memory of 2712	2184	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	28
PID 2184 wrote to memory of 2712	2184	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	28
PID 2184 wrote to memory of 2568	2184	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	29
PID 2184 wrote to memory of 2568	2184	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	29
PID 2184 wrote to memory of 2568	2184	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	29
PID 2184 wrote to memory of 2568	2184	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	29
PID 2184 wrote to memory of 2568	2184	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	29
PID 2184 wrote to memory of 2568	2184	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	29
PID 2184 wrote to memory of 2568	2184	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	29
PID 2184 wrote to memory of 2568	2184	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	29
PID 2184 wrote to memory of 2568	2184	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	29
PID 2568 wrote to memory of 2800	2568	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2800	2568	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2800	2568	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2800	2568	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2800	2568	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2800	2568	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2800	2568	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2540	2568	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2540	2568	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2540	2568	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2540	2568	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	31
PID 2540 wrote to memory of 2744	2540	svshost.exe	32
PID 2540 wrote to memory of 2744	2540	svshost.exe	32
PID 2540 wrote to memory of 2744	2540	svshost.exe	32
PID 2540 wrote to memory of 2744	2540	svshost.exe	32
PID 2540 wrote to memory of 2748	2540	svshost.exe	33
PID 2540 wrote to memory of 2748	2540	svshost.exe	33
PID 2540 wrote to memory of 2748	2540	svshost.exe	33
PID 2540 wrote to memory of 2748	2540	svshost.exe	33
PID 2540 wrote to memory of 2748	2540	svshost.exe	33
PID 2540 wrote to memory of 2748	2540	svshost.exe	33
PID 2540 wrote to memory of 2748	2540	svshost.exe	33
PID 2540 wrote to memory of 2748	2540	svshost.exe	33
PID 2568 wrote to memory of 2392	2568	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	34
PID 2568 wrote to memory of 2392	2568	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	34
PID 2568 wrote to memory of 2392	2568	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	34
PID 2568 wrote to memory of 2392	2568	ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe	34

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	svshost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	svshost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	svshost.exe

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2392	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe
  ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe
  2⤵
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe
  ffbcc78612502da6d4b7061ec1487fcd_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\windows\system32\msinet.ocx
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2800
- - C:\windows\SysWOW64\svshost.exe
    C:\windows\system32\svshost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\windows\SysWOW64\svshost.exe
      svshost.exe
      4⤵
      PID:2744
  - - C:\windows\SysWOW64\svshost.exe
      svshost.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2748
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s C:\windows\system32\svshost.exe
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\windows\SysWOW64\msinet.ocx

Filesize
112KB

MD5
7bec181a21753498b6bd001c42a42722

SHA1
3249f233657dc66632c0539c47895bfcee5770cc

SHA256
73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

SHA512
d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

Download Submit
\Windows\SysWOW64\svshost.exe

Filesize
49KB

MD5
07001fd2f0f017c1ce69a4d051a4b488

SHA1
ea4fbf47cb6aa918f91c9247ff8092dbbcb9a231

SHA256
2676c94d297703fe26587d8a314a561198eb64192c401adb5a10c65a705b0201

SHA512
93bb95adde4e5d5c58c4bfb9df6b344e91cf54d266c9162d6396d3a527ffb8be8d169eb49ea98b087b9627cc9074117c66991ed81bd766079afdedff5bba4b15

Download Submit
memory/2184-2-0x0000000000BD0000-0x0000000000C10000-memory.dmp

Filesize
256KB

Download
memory/2184-1-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2184-0-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2184-16-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-43-0x0000000073BA0000-0x000000007414B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-31-0x0000000073BA0000-0x000000007414B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-28-0x0000000073BA0000-0x000000007414B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-29-0x0000000000700000-0x0000000000740000-memory.dmp

Filesize
256KB

Download
memory/2568-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2568-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2568-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2568-3-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2568-5-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2568-57-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2568-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2748-35-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2748-39-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2748-30-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2748-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2748-42-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2748-46-0x0000000002B70000-0x000000000362A000-memory.dmp

Filesize
10.7MB

Download
memory/2748-48-0x00000000055A0000-0x0000000006602000-memory.dmp

Filesize
16.4MB

Download
memory/2748-33-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2748-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads