Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 20:53
Static task
static1
Behavioral task
behavioral1
Sample
21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
NsResize.dll
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
NsResize.dll
Resource
win10v2004-20240419-en
General
-
Target
21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe
-
Size
241KB
-
MD5
21af27ba9ac8e0dc4124c57f82b7e514
-
SHA1
b653f8672df111229959112ba7d5c710f94dc578
-
SHA256
bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6
-
SHA512
ff90faab3d7a584fbedb2216ed7cc1101320bec809b91d4991c89202e1b634841383ac547a6c9bb1bf763d1c5534d0bc98b0ed2d7ebeb47f169e5bd938b706fd
-
SSDEEP
6144:Kn/L+GOmXqA8VtR4ZhSTpkdpNRauPmuRfV/A/ETrSQ1tuY:0zOmXqActRYhgk5Ra6mkflTrSM
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 6 IoCs
Processes:
mshta.exeflow pid process 1544 1768 mshta.exe 1546 1768 mshta.exe 1548 1768 mshta.exe 1550 1768 mshta.exe 1553 1768 mshta.exe 1555 1768 mshta.exe -
Contacts a large (519) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1764 cmd.exe -
Loads dropped DLL 3 IoCs
Processes:
21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exepid process 1848 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 1848 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 1848 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp290.bmp" 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exedescription pid process target process PID 1848 set thread context of 2940 1848 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe -
Drops file in Program Files directory 6 IoCs
Processes:
21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1804 taskkill.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C mshta.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 mshta.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 mshta.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exepid process 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exeWMIC.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2736 WMIC.exe Token: SeSecurityPrivilege 2736 WMIC.exe Token: SeTakeOwnershipPrivilege 2736 WMIC.exe Token: SeLoadDriverPrivilege 2736 WMIC.exe Token: SeSystemProfilePrivilege 2736 WMIC.exe Token: SeSystemtimePrivilege 2736 WMIC.exe Token: SeProfSingleProcessPrivilege 2736 WMIC.exe Token: SeIncBasePriorityPrivilege 2736 WMIC.exe Token: SeCreatePagefilePrivilege 2736 WMIC.exe Token: SeBackupPrivilege 2736 WMIC.exe Token: SeRestorePrivilege 2736 WMIC.exe Token: SeShutdownPrivilege 2736 WMIC.exe Token: SeDebugPrivilege 2736 WMIC.exe Token: SeSystemEnvironmentPrivilege 2736 WMIC.exe Token: SeRemoteShutdownPrivilege 2736 WMIC.exe Token: SeUndockPrivilege 2736 WMIC.exe Token: SeManageVolumePrivilege 2736 WMIC.exe Token: 33 2736 WMIC.exe Token: 34 2736 WMIC.exe Token: 35 2736 WMIC.exe Token: SeIncreaseQuotaPrivilege 2736 WMIC.exe Token: SeSecurityPrivilege 2736 WMIC.exe Token: SeTakeOwnershipPrivilege 2736 WMIC.exe Token: SeLoadDriverPrivilege 2736 WMIC.exe Token: SeSystemProfilePrivilege 2736 WMIC.exe Token: SeSystemtimePrivilege 2736 WMIC.exe Token: SeProfSingleProcessPrivilege 2736 WMIC.exe Token: SeIncBasePriorityPrivilege 2736 WMIC.exe Token: SeCreatePagefilePrivilege 2736 WMIC.exe Token: SeBackupPrivilege 2736 WMIC.exe Token: SeRestorePrivilege 2736 WMIC.exe Token: SeShutdownPrivilege 2736 WMIC.exe Token: SeDebugPrivilege 2736 WMIC.exe Token: SeSystemEnvironmentPrivilege 2736 WMIC.exe Token: SeRemoteShutdownPrivilege 2736 WMIC.exe Token: SeUndockPrivilege 2736 WMIC.exe Token: SeManageVolumePrivilege 2736 WMIC.exe Token: 33 2736 WMIC.exe Token: 34 2736 WMIC.exe Token: 35 2736 WMIC.exe Token: SeBackupPrivilege 2476 vssvc.exe Token: SeRestorePrivilege 2476 vssvc.exe Token: SeAuditPrivilege 2476 vssvc.exe Token: SeDebugPrivilege 1804 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mshta.exepid process 1768 mshta.exe 1768 mshta.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.execmd.execmd.exedescription pid process target process PID 1848 wrote to memory of 2940 1848 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe PID 1848 wrote to memory of 2940 1848 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe PID 1848 wrote to memory of 2940 1848 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe PID 1848 wrote to memory of 2940 1848 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe PID 1848 wrote to memory of 2940 1848 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe PID 1848 wrote to memory of 2940 1848 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe PID 1848 wrote to memory of 2940 1848 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe PID 1848 wrote to memory of 2940 1848 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe PID 1848 wrote to memory of 2940 1848 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe PID 1848 wrote to memory of 2940 1848 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe PID 2940 wrote to memory of 2592 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe cmd.exe PID 2940 wrote to memory of 2592 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe cmd.exe PID 2940 wrote to memory of 2592 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe cmd.exe PID 2940 wrote to memory of 2592 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe cmd.exe PID 2592 wrote to memory of 2736 2592 cmd.exe WMIC.exe PID 2592 wrote to memory of 2736 2592 cmd.exe WMIC.exe PID 2592 wrote to memory of 2736 2592 cmd.exe WMIC.exe PID 2940 wrote to memory of 1768 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe mshta.exe PID 2940 wrote to memory of 1768 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe mshta.exe PID 2940 wrote to memory of 1768 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe mshta.exe PID 2940 wrote to memory of 1768 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe mshta.exe PID 2940 wrote to memory of 1764 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe cmd.exe PID 2940 wrote to memory of 1764 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe cmd.exe PID 2940 wrote to memory of 1764 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe cmd.exe PID 2940 wrote to memory of 1764 2940 21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe cmd.exe PID 1764 wrote to memory of 1804 1764 cmd.exe taskkill.exe PID 1764 wrote to memory of 1804 1764 cmd.exe taskkill.exe PID 1764 wrote to memory of 1804 1764 cmd.exe taskkill.exe PID 1764 wrote to memory of 2896 1764 cmd.exe PING.EXE PID 1764 wrote to memory of 2896 1764 cmd.exe PING.EXE PID 1764 wrote to memory of 2896 1764 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe"2⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\README.hta"3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im "21af27ba9ac8e0dc4124c57f82b7e514_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.htaFilesize
61KB
MD5def66c32fbe280a866aef4cf2ad7fb3e
SHA1e0e41412492c0d0baf37c6468f769f96774f1cdd
SHA25640a9566f7eba230d7160ee31a1885b3fee1405ab96662e45540b592f397081cb
SHA512c823d2c54ebfe49d2826733ba40b5d24c91122d58f3478b3b7fb514d34b1b7e06500aa7e2a8484641d9eb2e1012be8826e22685e1aa9cbff0d8a963296eb2873
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\nsd2260.tmp\System.dllFilesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
C:\Users\Admin\AppData\Roaming\Addendum.HFilesize
189KB
MD5a2039fc589b4554aae01adc00c678bd5
SHA176bb96251feec4ceebb44cd7b44e42bb3da03b8b
SHA2569ede8dfb24c6efa751960f68da159e8c099f95cefde9b6fdf56f817d158c2bf6
SHA5123711a8b885ab3c794739a53d8bae5d9685fa1c39c5d1dbd298357f6d896ece66d9a8bed3c01350add0fdf5b48aa0c1ef08156874ecafcb7ce340994bb394390b
-
C:\Users\Admin\AppData\Roaming\article.appendix.title.properties.xmlFilesize
1KB
MD5adb1a285a2b926f98c062fbb74e1e992
SHA11f9799a61072673042a1a3da0fdf3fa93cf10f90
SHA2564ba4637bffa741ba5619c3de97b6c209b5a9deb330385efc7a588492a98b7b45
SHA512aa65628e34601645dfcdcb1f5f0347ae84555bd1a99432d4c25a50044dae932385bfa1f50551f6577d184de684f9264743facb53f4aa2e46bdfeff5c85bc6bd7
-
C:\Users\Admin\AppData\Roaming\btn-next-static.pngFilesize
3KB
MD520418349e7f8244ea53bc174b2ff9576
SHA1edb9087b6d85247ea0cad0060f540b0f890a80e1
SHA25635d36d6619e249e8bf4838098fd1770c78617e3019162aaca092f8fa37c82dcb
SHA512b12946ca17bb23403e106d561ae42d15695efde73eb4efb4099b57824c7ba0d2e331850022405f1d5da9502b568a217c06f259600cbbacc0d1c2b7210b31081f
-
\Users\Admin\AppData\Roaming\NsResize.dllFilesize
28KB
MD5d53bd2d5591a78ea15b3bd59e2652bd6
SHA140968bcae13ee63469d241200679b25dfa5fdd4c
SHA2561734bceb77dab6739b80575fd7ee87c437327d8eb147339e1d93b7d3235c5394
SHA512c07bbab95251f16ac4b1c03e0324792b35badd111cced2e5c8e0de467226e572edfe5ca6e528c3494664f2569774f6a422806f54883cc2ef3726e21f4a011f5b
-
memory/2940-35-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-328-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-23-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-37-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-42-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-43-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-45-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-46-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-47-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-25-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-27-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-29-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2940-322-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-325-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-21-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-331-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-334-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-337-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-340-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-343-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-347-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-350-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-353-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-356-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-359-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-362-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-365-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-368-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-375-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-388-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2940-33-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB