Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 11:49
Static task
static1
Behavioral task
behavioral1
Sample
29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
-
Size
289KB
-
MD5
29d53275576b5ded03ed2a1e5dc1f0cf
-
SHA1
754da96a93a901bd9a2885b438b11989f020621b
-
SHA256
2bb093ea941ca8237a3e10f73497cf0f5c56982a0419b49d8b10ebd2f582ed6a
-
SHA512
11d35cf5d0589c589a7ac7ebf8cd44d03ce5a8a6ea078b5b5c0e083dcfdce22bc6d3d2a01a304cfbcec512ec0e9d5178dc1beb6241078de4f3b002a33979a27e
-
SSDEEP
6144:7sd6m6EUzDxm5xO8swLLu/H5jJcvQR7ZQwClBkcdfpYWVitetEg:7sd6m6EUztodsR5jI47ZJClBkUpbl
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2540 mshta.exe -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions regsvr32.exe -
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process File opened (read-only) C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys regsvr32.exe -
ModiLoader Second Stage 53 IoCs
Processes:
resource yara_rule behavioral1/memory/2864-2-0x0000000000400000-0x000000000043F000-memory.dmp modiloader_stage2 behavioral1/memory/2864-4-0x0000000000400000-0x000000000043F000-memory.dmp modiloader_stage2 behavioral1/memory/2864-14-0x0000000000320000-0x00000000003F6000-memory.dmp modiloader_stage2 behavioral1/memory/2864-16-0x0000000000400000-0x000000000043F000-memory.dmp modiloader_stage2 behavioral1/memory/2864-17-0x0000000000320000-0x00000000003F6000-memory.dmp modiloader_stage2 behavioral1/memory/2864-19-0x0000000000320000-0x00000000003F6000-memory.dmp modiloader_stage2 behavioral1/memory/2864-18-0x0000000000320000-0x00000000003F6000-memory.dmp modiloader_stage2 behavioral1/memory/2864-20-0x0000000000320000-0x00000000003F6000-memory.dmp modiloader_stage2 behavioral1/memory/2864-21-0x0000000000320000-0x00000000003F6000-memory.dmp modiloader_stage2 behavioral1/memory/2864-22-0x0000000000320000-0x00000000003F6000-memory.dmp modiloader_stage2 behavioral1/memory/2624-41-0x0000000006340000-0x0000000006416000-memory.dmp modiloader_stage2 behavioral1/memory/1080-42-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-44-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/2624-45-0x0000000006340000-0x0000000006416000-memory.dmp modiloader_stage2 behavioral1/memory/1080-51-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-52-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-50-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-54-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-56-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-57-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-53-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-46-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-59-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-47-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-48-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-84-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-49-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-67-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-68-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-77-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-76-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-75-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-74-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-73-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-85-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-66-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-65-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-62-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-64-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-63-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-61-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-60-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-58-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1080-55-0x0000000000200000-0x0000000000341000-memory.dmp modiloader_stage2 behavioral1/memory/1584-98-0x0000000000110000-0x0000000000251000-memory.dmp modiloader_stage2 behavioral1/memory/1584-99-0x0000000000110000-0x0000000000251000-memory.dmp modiloader_stage2 behavioral1/memory/1584-97-0x0000000000110000-0x0000000000251000-memory.dmp modiloader_stage2 behavioral1/memory/1584-95-0x0000000000110000-0x0000000000251000-memory.dmp modiloader_stage2 behavioral1/memory/1584-100-0x0000000000110000-0x0000000000251000-memory.dmp modiloader_stage2 behavioral1/memory/1584-96-0x0000000000110000-0x0000000000251000-memory.dmp modiloader_stage2 behavioral1/memory/1584-94-0x0000000000110000-0x0000000000251000-memory.dmp modiloader_stage2 behavioral1/memory/1584-93-0x0000000000110000-0x0000000000251000-memory.dmp modiloader_stage2 behavioral1/memory/1584-92-0x0000000000110000-0x0000000000251000-memory.dmp modiloader_stage2 -
Looks for VMWare Tools registry key 2 TTPs 3 IoCs
Processes:
29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exeregsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMWare, Inc.\VMWare Tools 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMWare, Inc.\VMWare Tools 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools regsvr32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
regsvr32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion regsvr32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion regsvr32.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 1080 regsvr32.exe -
Drops startup file 1 IoCs
Processes:
regsvr32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\be0980.lnk regsvr32.exe -
Executes dropped EXE 2 IoCs
Processes:
29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exepid process 1344 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 2588 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe -
Loads dropped DLL 3 IoCs
Processes:
29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exepid process 2864 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 2864 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 1344 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Windows\\system32\\mshta.exe\" javascript:F19YYw=\"C\";G7H1=new%20ActiveXObject(\"WScript.Shell\");VyhkG26=\"5WcZ\";eyk88S=G7H1.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\hsgrudze\\\\zdxvakv\");rhJaE6dM=\"tIH\";eval(eyk88S);APEo98Kh=\"IVEXC\";" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Windows\\system32\\mshta.exe\" javascript:Ehc1gFBK=\"w4dgf\";xX7=new%20ActiveXObject(\"WScript.Shell\");fnKe1L3=\"z2BA\";mO40ru=xX7.RegRead(\"HKCU\\\\software\\\\hsgrudze\\\\zdxvakv\");bZF69T=\"fE\";eval(mO40ru);l7F5EKr=\"JvC6qaj\";" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\416844\\eecdc5.lnk\"" regsvr32.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum regsvr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 regsvr32.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exepowershell.exeregsvr32.exedescription pid process target process PID 1660 set thread context of 2864 1660 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1344 set thread context of 2588 1344 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 2624 set thread context of 1080 2624 powershell.exe regsvr32.exe PID 1080 set thread context of 1584 1080 regsvr32.exe regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
regsvr32.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\International regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies registry class 7 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\81b494\shell\open regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\81b494\shell\open\command regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\81b494\shell\open\command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"javascript:gTqKu5k5B=\"VzJ\";Ub28=new ActiveXObject(\"WScript.Shell\");Bdpx30mf=\"0rQ5oz\";eg9ER=Ub28.RegRead(\"HKCU\\\\software\\\\hsgrudze\\\\zdxvakv\");iw67vO=\"Y45uv\";eval(eg9ER);XMquS9=\"N\";\"" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.983f33d regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.983f33d\ = "81b494" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\81b494 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\81b494\shell regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exepowershell.exeregsvr32.exepid process 2864 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 2864 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 2588 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 2588 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe 1080 regsvr32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
powershell.exeregsvr32.exepid process 2624 powershell.exe 1080 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2624 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exepid process 1660 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 1344 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exemshta.exepowershell.exeregsvr32.exedescription pid process target process PID 1660 wrote to memory of 2864 1660 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1660 wrote to memory of 2864 1660 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1660 wrote to memory of 2864 1660 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1660 wrote to memory of 2864 1660 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1660 wrote to memory of 2864 1660 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1660 wrote to memory of 2864 1660 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1660 wrote to memory of 2864 1660 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1660 wrote to memory of 2864 1660 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1660 wrote to memory of 2864 1660 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1660 wrote to memory of 2864 1660 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1660 wrote to memory of 2864 1660 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1660 wrote to memory of 2864 1660 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 2864 wrote to memory of 1344 2864 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 2864 wrote to memory of 1344 2864 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 2864 wrote to memory of 1344 2864 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 2864 wrote to memory of 1344 2864 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1344 wrote to memory of 2588 1344 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1344 wrote to memory of 2588 1344 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1344 wrote to memory of 2588 1344 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1344 wrote to memory of 2588 1344 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1344 wrote to memory of 2588 1344 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1344 wrote to memory of 2588 1344 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1344 wrote to memory of 2588 1344 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1344 wrote to memory of 2588 1344 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1344 wrote to memory of 2588 1344 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1344 wrote to memory of 2588 1344 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1344 wrote to memory of 2588 1344 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 1344 wrote to memory of 2588 1344 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe PID 2644 wrote to memory of 2624 2644 mshta.exe powershell.exe PID 2644 wrote to memory of 2624 2644 mshta.exe powershell.exe PID 2644 wrote to memory of 2624 2644 mshta.exe powershell.exe PID 2644 wrote to memory of 2624 2644 mshta.exe powershell.exe PID 2624 wrote to memory of 1080 2624 powershell.exe regsvr32.exe PID 2624 wrote to memory of 1080 2624 powershell.exe regsvr32.exe PID 2624 wrote to memory of 1080 2624 powershell.exe regsvr32.exe PID 2624 wrote to memory of 1080 2624 powershell.exe regsvr32.exe PID 2624 wrote to memory of 1080 2624 powershell.exe regsvr32.exe PID 2624 wrote to memory of 1080 2624 powershell.exe regsvr32.exe PID 2624 wrote to memory of 1080 2624 powershell.exe regsvr32.exe PID 2624 wrote to memory of 1080 2624 powershell.exe regsvr32.exe PID 1080 wrote to memory of 1584 1080 regsvr32.exe regsvr32.exe PID 1080 wrote to memory of 1584 1080 regsvr32.exe regsvr32.exe PID 1080 wrote to memory of 1584 1080 regsvr32.exe regsvr32.exe PID 1080 wrote to memory of 1584 1080 regsvr32.exe regsvr32.exe PID 1080 wrote to memory of 1584 1080 regsvr32.exe regsvr32.exe PID 1080 wrote to memory of 1584 1080 regsvr32.exe regsvr32.exe PID 1080 wrote to memory of 1584 1080 regsvr32.exe regsvr32.exe PID 1080 wrote to memory of 1584 1080 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VMWare Tools registry key
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2588
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:dxpSbwS8="e9kmcjI";I5q3=new%20ActiveXObject("WScript.Shell");lC3FPPa="9hx";ND42st=I5q3.RegRead("HKLM\\software\\Wow6432Node\\oWkmdT9U\\osp3ZocR");Fo9arfOV="9l";eval(ND42st);O1qCYBe="wTam";1⤵
- Process spawned unexpected child process
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:cbfo2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵PID:1584
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD53725ca4cdcca4e5760a4322f0891770e
SHA15676e4505dca24e502e0ca19d0860e8ee5df32bd
SHA256f012b4205cf478530338ef27db54196c52cc2773a66517382988e6bc651b2322
SHA512a2370ffc00077fc890cdc41120fbc633eb321386b763b695e81bf89f364238104bd28dd47c441c9963b3123790f517fc8854b9bf87c554c59ae19ccafdb4eb30
-
Filesize
61B
MD5a9d3ea542d72c3d4eb6e79b37f9b265e
SHA19ef048c6a4cc72891fe4b6d8c3ae59e134711cb9
SHA256d287a2bcc9c2485a60329a6bb94fb260bec57524e3098a5bd7c7cedf3e460314
SHA512eba879b158972749be9a48b1ff0d7393f69960da48c1f8e92c3886d9cf16ae437ac5eea449f59de788cbf5b9033ebc78311f2b591f6d41631521a3f0ea24208b
-
Filesize
881B
MD5dc7d7d400a2ef3f6bd26b5b59752dc65
SHA124024493823a5eddce9744e2c0d7a1c08883ad58
SHA256ddda6e501616a1507124ac030f156ba4d2701400dba1f526034dc94dbd8fc16b
SHA512f08cb194d3a8fc48e79e0f2ee0aa02902ebc08ded5531bf4656baa88b2bbba0e908a59dd830c1d625eeb542a30d7d199b83b22ca9d212ecf4d45cda4b1d0aab1
-
Filesize
39KB
MD5aa37b7596ed13ac91b87344631bce5b8
SHA10f873444ac01f923e70f7bef5a9b0b302787cc9d
SHA256eb216409d0231346cc0b05114e632d4f8a0dfb9857a455d4f85cdf2f8e2aa863
SHA512c545701e2c938174a35bc423b6053618dc11f38929a262d714717c59d52bf0cb09179fe5fa36b44c43192aaf7eb071cc57ef60b4a4731ca7377b0a4932862022
-
Filesize
991B
MD5fecb855b47f9a96231ba51789b61f929
SHA144f9d8498b33569cac0a0a939c3dc636564cea06
SHA2569a45685f97f6534d880ced46ede455e8ef78877ab1bbef76986335309eddd3c7
SHA51294307f8bb949464855a8a7088a4f3f1d70232006f2dc57f85567963a9253056b589de203fb5244ef8de53a8122dcdcc61c5533b7ec85b33805b9339cebd09bff
-
\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
Filesize289KB
MD529d53275576b5ded03ed2a1e5dc1f0cf
SHA1754da96a93a901bd9a2885b438b11989f020621b
SHA2562bb093ea941ca8237a3e10f73497cf0f5c56982a0419b49d8b10ebd2f582ed6a
SHA51211d35cf5d0589c589a7ac7ebf8cd44d03ce5a8a6ea078b5b5c0e083dcfdce22bc6d3d2a01a304cfbcec512ec0e9d5178dc1beb6241078de4f3b002a33979a27e