Analysis
-
max time kernel
127s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 11:22
Static task
static1
Behavioral task
behavioral1
Sample
4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe
-
Size
7.4MB
-
MD5
4ad1b0398bc3a371a82923383de2d0a4
-
SHA1
9f977029800b4328dc752741156a6a0e5f6fa109
-
SHA256
2877bf056524695a30300cc6f5469202538727e8003ea14e8d13480a59600171
-
SHA512
469300fef819aebfe9dbeacf05f60eb509e31abaef0f596575107c69fbe56f0a95ac92135256e98c21c2e2c027fe2d12e1a5d8c402b59a758fea42fba671618b
-
SSDEEP
98304:Zg560g56dJ0MpqXQg56Mx6rAVQ2QBPAUoU9H0YCg56L8uQhHrqrkjp:a5M5QpU5fvQxAUf9HXp5+hQHrdl
Malware Config
Extracted
remcos
1.7 Pro
Host
seasons444.ddns.net:8128
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
window
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Office_vgqkluqlnw
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
limerat
1BVfdhbuDbDuMXWErhTv8XwgwYP1K34oTD
-
aes_key
MAXS20
-
antivm
false
-
c2_url
https://pastebin.com/raw/vnPLhhBH
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Extracted
warzonerat
cornerload.dynu.net:5500
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/vnPLhhBH
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" svchost.exe -
Warzone RAT payload 2 IoCs
resource yara_rule behavioral2/memory/3956-84-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/3956-82-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InfDefaultInstall.url 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netbtugc.url Internets.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktopimgdownldr.url seg32.exe -
Executes dropped EXE 5 IoCs
pid Process 2816 seg32.exe 4552 Servicez.exe 4856 Internets.exe 768 seg32.exe 3956 seg32.exe -
resource yara_rule behavioral2/memory/4904-39-0x0000000002FA0000-0x000000000402E000-memory.dmp upx behavioral2/memory/4904-45-0x0000000002FA0000-0x000000000402E000-memory.dmp upx behavioral2/memory/4904-46-0x0000000002FA0000-0x000000000402E000-memory.dmp upx behavioral2/memory/4904-60-0x0000000002FA0000-0x000000000402E000-memory.dmp upx behavioral2/memory/4904-64-0x0000000002FA0000-0x000000000402E000-memory.dmp upx behavioral2/memory/4904-65-0x0000000002FA0000-0x000000000402E000-memory.dmp upx behavioral2/memory/4904-66-0x0000000002FA0000-0x000000000402E000-memory.dmp upx behavioral2/memory/4904-51-0x0000000002FA0000-0x000000000402E000-memory.dmp upx behavioral2/memory/4904-41-0x0000000002FA0000-0x000000000402E000-memory.dmp upx behavioral2/memory/4904-67-0x0000000002FA0000-0x000000000402E000-memory.dmp upx behavioral2/memory/4904-68-0x0000000002FA0000-0x000000000402E000-memory.dmp upx behavioral2/memory/4904-75-0x0000000002FA0000-0x000000000402E000-memory.dmp upx behavioral2/memory/4904-76-0x0000000002FA0000-0x000000000402E000-memory.dmp upx behavioral2/memory/4904-77-0x0000000002FA0000-0x000000000402E000-memory.dmp upx behavioral2/memory/4904-88-0x0000000002FA0000-0x000000000402E000-memory.dmp upx behavioral2/memory/4904-99-0x0000000002FA0000-0x000000000402E000-memory.dmp upx behavioral2/memory/4904-103-0x0000000002FA0000-0x000000000402E000-memory.dmp upx behavioral2/memory/4904-105-0x0000000002FA0000-0x000000000402E000-memory.dmp upx behavioral2/memory/4904-108-0x0000000002FA0000-0x000000000402E000-memory.dmp upx behavioral2/memory/4904-112-0x0000000002FA0000-0x000000000402E000-memory.dmp upx behavioral2/memory/4904-114-0x0000000002FA0000-0x000000000402E000-memory.dmp upx -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\X: svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 26 pastebin.com 27 pastebin.com -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x00090000000233ae-7.dat autoit_exe behavioral2/files/0x00080000000233b1-18.dat autoit_exe behavioral2/files/0x00080000000233b2-29.dat autoit_exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf svchost.exe File opened for modification F:\autorun.inf svchost.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3728 set thread context of 4904 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 95 PID 4552 set thread context of 640 4552 Servicez.exe 98 PID 2816 set thread context of 3956 2816 seg32.exe 100 PID 4856 set thread context of 456 4856 Internets.exe 103 -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe svchost.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe svchost.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe svchost.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe svchost.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 4904 svchost.exe 4904 svchost.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 4552 Servicez.exe 2816 seg32.exe 2816 seg32.exe 4856 Internets.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeDebugPrivilege 4904 svchost.exe -
Suspicious use of FindShellTrayWindow 13 IoCs
pid Process 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 2816 seg32.exe 2816 seg32.exe 2816 seg32.exe 4552 Servicez.exe 4552 Servicez.exe 4552 Servicez.exe 4856 Internets.exe 4856 Internets.exe 4856 Internets.exe 456 RegAsm.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 2816 seg32.exe 2816 seg32.exe 2816 seg32.exe 4552 Servicez.exe 4552 Servicez.exe 4552 Servicez.exe 4856 Internets.exe 4856 Internets.exe 4856 Internets.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4904 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3728 wrote to memory of 2816 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 91 PID 3728 wrote to memory of 2816 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 91 PID 3728 wrote to memory of 2816 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 91 PID 3728 wrote to memory of 4552 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 93 PID 3728 wrote to memory of 4552 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 93 PID 3728 wrote to memory of 4552 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 93 PID 3728 wrote to memory of 4856 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 94 PID 3728 wrote to memory of 4856 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 94 PID 3728 wrote to memory of 4856 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 94 PID 3728 wrote to memory of 4904 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 95 PID 3728 wrote to memory of 4904 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 95 PID 3728 wrote to memory of 4904 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 95 PID 3728 wrote to memory of 4904 3728 4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe 95 PID 4904 wrote to memory of 800 4904 svchost.exe 9 PID 4904 wrote to memory of 808 4904 svchost.exe 10 PID 4904 wrote to memory of 384 4904 svchost.exe 13 PID 4904 wrote to memory of 3012 4904 svchost.exe 49 PID 4904 wrote to memory of 3036 4904 svchost.exe 50 PID 4904 wrote to memory of 2828 4904 svchost.exe 52 PID 4904 wrote to memory of 3424 4904 svchost.exe 56 PID 4904 wrote to memory of 3576 4904 svchost.exe 57 PID 4904 wrote to memory of 3756 4904 svchost.exe 58 PID 4904 wrote to memory of 3852 4904 svchost.exe 59 PID 4904 wrote to memory of 3920 4904 svchost.exe 60 PID 4904 wrote to memory of 4008 4904 svchost.exe 61 PID 4904 wrote to memory of 4148 4904 svchost.exe 62 PID 4904 wrote to memory of 2136 4904 svchost.exe 64 PID 4904 wrote to memory of 2812 4904 svchost.exe 74 PID 4904 wrote to memory of 2288 4904 svchost.exe 79 PID 4904 wrote to memory of 3728 4904 svchost.exe 81 PID 4904 wrote to memory of 3728 4904 svchost.exe 81 PID 4904 wrote to memory of 2840 4904 svchost.exe 83 PID 4904 wrote to memory of 1556 4904 svchost.exe 84 PID 4904 wrote to memory of 2816 4904 svchost.exe 91 PID 4904 wrote to memory of 2816 4904 svchost.exe 91 PID 4904 wrote to memory of 4552 4904 svchost.exe 93 PID 4904 wrote to memory of 4552 4904 svchost.exe 93 PID 4904 wrote to memory of 4856 4904 svchost.exe 94 PID 4904 wrote to memory of 4856 4904 svchost.exe 94 PID 4552 wrote to memory of 640 4552 Servicez.exe 98 PID 4552 wrote to memory of 640 4552 Servicez.exe 98 PID 4552 wrote to memory of 640 4552 Servicez.exe 98 PID 4552 wrote to memory of 640 4552 Servicez.exe 98 PID 2816 wrote to memory of 768 2816 seg32.exe 99 PID 2816 wrote to memory of 768 2816 seg32.exe 99 PID 2816 wrote to memory of 768 2816 seg32.exe 99 PID 2816 wrote to memory of 3956 2816 seg32.exe 100 PID 2816 wrote to memory of 3956 2816 seg32.exe 100 PID 2816 wrote to memory of 3956 2816 seg32.exe 100 PID 2816 wrote to memory of 3956 2816 seg32.exe 100 PID 3956 wrote to memory of 4612 3956 seg32.exe 101 PID 3956 wrote to memory of 4612 3956 seg32.exe 101 PID 3956 wrote to memory of 4612 3956 seg32.exe 101 PID 4904 wrote to memory of 800 4904 svchost.exe 9 PID 4904 wrote to memory of 808 4904 svchost.exe 10 PID 4904 wrote to memory of 384 4904 svchost.exe 13 PID 4904 wrote to memory of 3012 4904 svchost.exe 49 PID 4904 wrote to memory of 3036 4904 svchost.exe 50 PID 4904 wrote to memory of 2828 4904 svchost.exe 52 PID 4904 wrote to memory of 3424 4904 svchost.exe 56 PID 4904 wrote to memory of 3576 4904 svchost.exe 57 PID 4904 wrote to memory of 3756 4904 svchost.exe 58 PID 4904 wrote to memory of 3852 4904 svchost.exe 59 PID 4904 wrote to memory of 3920 4904 svchost.exe 60
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3012
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3036
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2828
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\seg32.exe"C:\Users\Admin\AppData\Local\Temp\seg32.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\seg32.exe"C:\Users\Admin\AppData\Local\Temp\seg32.exe"4⤵
- Executes dropped EXE
PID:768
-
-
C:\Users\Admin\AppData\Local\Temp\seg32.exe"C:\Users\Admin\AppData\Local\Temp\seg32.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵PID:4612
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4388
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Servicez.exe"C:\Users\Admin\AppData\Local\Temp\Servicez.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"4⤵PID:640
-
-
-
C:\Users\Admin\AppData\Local\Temp\Internets.exe"C:\Users\Admin\AppData\Local\Temp\Internets.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4856 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"4⤵
- Suspicious use of FindShellTrayWindow
PID:456
-
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4904
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3576
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3756
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3852
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3920
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4008
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4148
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2136
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2812
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2288
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1556
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4788
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5ecdcf6e29f917239ecd9f3c4cd4bd4b4
SHA1131f924924ace74686b31640d3b781052abfd39e
SHA256add54490ee3977e1bf2c7090d44a7ecd42dfc9488470e98ff9c3d8169e437b99
SHA51278946683a1a3f1415b22fa7fad5c4a736591399e3fc915bce798470b437d4430f6f7679272b3d7818662e6451817aa3cba44b9ae6d404834ac8d92fde5847733
-
Filesize
1.5MB
MD5457d4329b66efcbd6bcba521502df6a8
SHA199228fcf0fcde75cfcba2f35a7060bf3917a507b
SHA256276073fc5509436fed91dfa63e1a05478c8d1fe56d974fc5881bb3d545ab4aa7
SHA51261303aa92141241914b707b8afdb12affa6fe2ad6e6a670268963078e31a09c1d1d557c527b038ace8eec9921dbc3b6edf686ec82cd64a7be30fad97fda74b33
-
Filesize
1.6MB
MD50c6fa100c0fd612d9f55a87017989621
SHA13298eeae3f5138d3bb8ed821f43090362c12f362
SHA256facb90d2a9cf3daa839e624a6a2d12ea2555b357ca7397fbcfae65dba25e2d16
SHA5129659f78562558e3b30369fb008386131fe63724d5c668ae456905007ef7cab803f54b69199c5e4fac99ca05e817d813b4fbeb113450dd852afbabb29dde03364
-
Filesize
100KB
MD50f78ac7f8875fdeaa4c511755f2f6cb5
SHA1d9015b4f730188920c37b5b8ba2b7fd73d433877
SHA256d964c41313488c1cfb2e9e5076b1250f75f610862768ecc4300dcd31572f8961
SHA512e6a4f55d05b742f32d102f608e46fa99590bda7e1fee4afb80952d53cafc37d2d8365e2d424a8c9d67aaacba8c536ab569f1a6729e99d10ea7b0169abd1d3f10