Analysis
-
max time kernel
143s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 07:45
Static task
static1
Behavioral task
behavioral1
Sample
28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe
-
Size
644KB
-
MD5
28fbf26d76059fb5f277eaae5b7f894b
-
SHA1
8bf8f4ccadd44da372359a31598856e187dc5b1f
-
SHA256
97b1a0a2a2f05f22c3f9ac4152e34ad4d629c577ea9425020d5f8ce204d583d0
-
SHA512
2db87c5f04edbfee71575ca045dd96e694e75b0c84a7400e01ba429af44987052d7b7b694bdbc5ef808b917d1f39d6ab6f521b40d895e3c1d8da938450800660
-
SSDEEP
12288:q0wKEpZHDQi7vhMgWMzU9l9fDWmSsLbpnHrM8DoiQQWpH3UMQ9fp6zgJGE0:1Ejki75MTSCaaLbpnQ/zpU9ozMa
Malware Config
Signatures
-
NirSoft MailPassView 9 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/2544-154-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView behavioral1/memory/2544-164-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView behavioral1/memory/2544-161-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView behavioral1/memory/2544-155-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView behavioral1/memory/2544-151-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView behavioral1/memory/2544-149-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView behavioral1/memory/1232-259-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1232-260-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1232-263-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 9 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/2544-154-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/2544-164-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/2544-161-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/2544-155-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/2544-151-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/2544-149-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/2972-264-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2972-265-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2972-269-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 12 IoCs
resource yara_rule behavioral1/memory/2544-154-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/2544-164-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/2544-161-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/2544-155-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/2544-151-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/2544-149-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/1232-259-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1232-260-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1232-263-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2972-264-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2972-265-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2972-269-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0006000000015018-178.dat acprotect -
Loads dropped DLL 1 IoCs
pid Process 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe -
resource yara_rule behavioral1/files/0x0006000000015018-178.dat upx behavioral1/memory/2544-217-0x0000000073E90000-0x0000000073EBE000-memory.dmp upx behavioral1/memory/2544-261-0x0000000073E90000-0x0000000073EBE000-memory.dmp upx behavioral1/memory/2544-310-0x0000000073E90000-0x0000000073EBE000-memory.dmp upx behavioral1/memory/2544-312-0x0000000073E90000-0x0000000073EBE000-memory.dmp upx behavioral1/memory/2544-314-0x0000000073E90000-0x0000000073EBE000-memory.dmp upx behavioral1/memory/2544-320-0x0000000073E90000-0x0000000073EBE000-memory.dmp upx behavioral1/memory/2544-321-0x0000000073E90000-0x0000000073EBE000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 whatismyipaddress.com 11 whatismyipaddress.com 12 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2360 set thread context of 2544 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 28 PID 2544 set thread context of 1232 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 30 PID 2544 set thread context of 2972 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 31 -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe Token: SeDebugPrivilege 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2544 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 28 PID 2360 wrote to memory of 2544 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 28 PID 2360 wrote to memory of 2544 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 28 PID 2360 wrote to memory of 2544 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 28 PID 2360 wrote to memory of 2544 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 28 PID 2360 wrote to memory of 2544 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 28 PID 2360 wrote to memory of 2544 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 28 PID 2360 wrote to memory of 2544 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 28 PID 2360 wrote to memory of 2544 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 28 PID 2360 wrote to memory of 260 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 1 PID 2360 wrote to memory of 348 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 16 PID 2360 wrote to memory of 436 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 5 PID 2360 wrote to memory of 340 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 2 PID 2360 wrote to memory of 604 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 9 PID 2360 wrote to memory of 756 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 11 PID 2360 wrote to memory of 868 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 13 PID 2360 wrote to memory of 1044 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 18 PID 2360 wrote to memory of 504 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 8 PID 2360 wrote to memory of 2040 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 25 PID 2360 wrote to memory of 1124 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 19 PID 2360 wrote to memory of 676 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 10 PID 2360 wrote to memory of 2544 2360 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 28 PID 2544 wrote to memory of 1232 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 30 PID 2544 wrote to memory of 1232 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 30 PID 2544 wrote to memory of 1232 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 30 PID 2544 wrote to memory of 1232 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 30 PID 2544 wrote to memory of 1232 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 30 PID 2544 wrote to memory of 1232 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 30 PID 2544 wrote to memory of 1232 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 30 PID 2544 wrote to memory of 1232 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 30 PID 2544 wrote to memory of 1232 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 30 PID 2544 wrote to memory of 1232 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 30 PID 2544 wrote to memory of 2972 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 31 PID 2544 wrote to memory of 2972 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 31 PID 2544 wrote to memory of 2972 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 31 PID 2544 wrote to memory of 2972 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 31 PID 2544 wrote to memory of 2972 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 31 PID 2544 wrote to memory of 2972 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 31 PID 2544 wrote to memory of 2972 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 31 PID 2544 wrote to memory of 2972 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 31 PID 2544 wrote to memory of 2972 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 31 PID 2544 wrote to memory of 2972 2544 28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe 31
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:260
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:340
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:436
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵PID:604
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS1⤵PID:676
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵PID:348
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵PID:1044
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1124
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe1⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
PID:1232
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵PID:2972
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57f86405c4f15aee9a53b8b35780338cf
SHA18a5b69d9636df0c4d8c986627ef8ed06a652f787
SHA256f5c5d9066e08c7899da40a7893bbc5e062ade78a706c9f6f4afa115e3ba3b8db
SHA512ac935fb1492bc21128861c67a501f1d36945635b44ae1806e8730f148b81b63e622455f7991c68773e8aa72c378f976abe3ee1a01b573d0e339669e2978f7515
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cbc224d22a6f8a21c08ed2b241b8825f
SHA1ce81bc1e2d3aff7edc6bb5320efc9cca8e995002
SHA2561544417f57befef2706bf311b49ec8218b3cd1fe9e041f3740465d9083e62b7c
SHA5122a93ae29d46e565d17f20319747bc083170e643e0a7ef9f0c80cda1e2259ce41754b031feef182b5a34bacb61a76c9246a70f9631d596b748bd23fb8f1ff2863
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5acc05a3a0c75a923f13808a45911bf36
SHA1fa6b0efb1bc4c52f2691923ab833ee9974bb9777
SHA2566afb0e9d3f67b936c6c6b2e24074de76d1c131e65a7adb23ceac94a429794a7f
SHA512025ee98c2b8923f12b54e0c4692f41662c56c3019fca2d907733a2a0dc87c53cdc47926aef62287e2adeb90cdcc18dcfc8bee89d0033c4fa1690ec3e8a7eee26
-
Filesize
4B
MD5f0f6ba4b5e0000340312d33c212c3ae8
SHA1f40c22f2dc6461f1cd9243ad4df239052f78040f
SHA25618177338c3669a1314d644b7f4ecfd18a5c735e819edf1e2062c3bc354d0dd7f
SHA512b9537ba03e00791da5b07082b0a6ce3b087af1620f122c59f02edfc589d55794141496311841da65992cf9fc369d05d40a573d37b90da7f0228cc150c1c39988
-
Filesize
84B
MD5ffde9988c78c77f01503787cb84611a3
SHA1a945ba914b21ba99f3ddd8bfa13bdc2599ac7e6a
SHA2569ab16cacc9cfc0ac83653c4a16beeb25ceaa63b01d6ad3f389e7aac917848a5c
SHA51238536e7f0f74f4159176eefd053b44dddc7eef75cd6ff5d6563bc3a02bc5298c1c66719ceed94ed149fb7141ab68d8131accf13c0fd6f101d3e5b83bb90f32c6
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
66KB
MD5aaa698721f488b181bc0f0afc5da126a
SHA176536a73f16ffd643ea24f8725cebfff9d49852f
SHA256e71ba7ce01d10e60a4feac7fc5e04f34756ba621c7d88583d0f96bd3b2655647
SHA51267d8b05678fbdc1678515c341fa8c1e26f3d1b15f2cc390bb9b1a26589a346fd57697dd3366e72d46ab265570929f1be89b8aec81112a2a98194c5886c89261d