Overview
overview
10Static
static
34e411c2df1...18.exe
windows7-x64
104e411c2df1...18.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3_class.noobSlide.js
windows7-x64
3_class.noobSlide.js
windows10-2004-x64
3jqueryVali...18n.js
windows7-x64
3jqueryVali...18n.js
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 03:35
Static task
static1
Behavioral task
behavioral1
Sample
4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
Uninstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Uninstall.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240419-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
_class.noobSlide.js
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
_class.noobSlide.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
jqueryValidatorI18n.js
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
jqueryValidatorI18n.js
Resource
win10v2004-20240226-en
General
-
Target
4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe
-
Size
279KB
-
MD5
4e411c2df17b88a85174574c5cdb51da
-
SHA1
6dcd9a580abe0033b2dd72a68427a85276c3ab31
-
SHA256
e6557f9c50233007a4eef28a54017e0052d511da2e9170e68c87532131d25aae
-
SHA512
b39d908bb1d8d4b228b225f8b59f0af10ac23012f1045a4ffa348b571a5441f7bec6223e2cf34ae6ed59496bd1129d12d2a6ac8ba541f2553fc1ea664202d212
-
SSDEEP
6144:KpkXGh/I4EJS8ktzGT3hvi9tKaVi3HOB3O6jg/:L4I4EJNkpGTaKh3H96jg/
Malware Config
Extracted
C:\Users\Admin\Pictures\_README_.hta
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 6 IoCs
Processes:
mshta.exeflow pid process 1736 2848 mshta.exe 1738 2848 mshta.exe 1740 2848 mshta.exe 1742 2848 mshta.exe 1745 2848 mshta.exe 1747 2848 mshta.exe -
Contacts a large (519) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2020 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exepid process 2392 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpAA05.bmp" 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exedescription pid process target process PID 2392 set thread context of 1644 2392 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe -
Drops file in Program Files directory 6 IoCs
Processes:
4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_README_.hta 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2668 2392 WerFault.exe 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2544 taskkill.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C mshta.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 mshta.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 mshta.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exepid process 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exepid process 2392 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exeWMIC.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2720 WMIC.exe Token: SeSecurityPrivilege 2720 WMIC.exe Token: SeTakeOwnershipPrivilege 2720 WMIC.exe Token: SeLoadDriverPrivilege 2720 WMIC.exe Token: SeSystemProfilePrivilege 2720 WMIC.exe Token: SeSystemtimePrivilege 2720 WMIC.exe Token: SeProfSingleProcessPrivilege 2720 WMIC.exe Token: SeIncBasePriorityPrivilege 2720 WMIC.exe Token: SeCreatePagefilePrivilege 2720 WMIC.exe Token: SeBackupPrivilege 2720 WMIC.exe Token: SeRestorePrivilege 2720 WMIC.exe Token: SeShutdownPrivilege 2720 WMIC.exe Token: SeDebugPrivilege 2720 WMIC.exe Token: SeSystemEnvironmentPrivilege 2720 WMIC.exe Token: SeRemoteShutdownPrivilege 2720 WMIC.exe Token: SeUndockPrivilege 2720 WMIC.exe Token: SeManageVolumePrivilege 2720 WMIC.exe Token: 33 2720 WMIC.exe Token: 34 2720 WMIC.exe Token: 35 2720 WMIC.exe Token: SeIncreaseQuotaPrivilege 2720 WMIC.exe Token: SeSecurityPrivilege 2720 WMIC.exe Token: SeTakeOwnershipPrivilege 2720 WMIC.exe Token: SeLoadDriverPrivilege 2720 WMIC.exe Token: SeSystemProfilePrivilege 2720 WMIC.exe Token: SeSystemtimePrivilege 2720 WMIC.exe Token: SeProfSingleProcessPrivilege 2720 WMIC.exe Token: SeIncBasePriorityPrivilege 2720 WMIC.exe Token: SeCreatePagefilePrivilege 2720 WMIC.exe Token: SeBackupPrivilege 2720 WMIC.exe Token: SeRestorePrivilege 2720 WMIC.exe Token: SeShutdownPrivilege 2720 WMIC.exe Token: SeDebugPrivilege 2720 WMIC.exe Token: SeSystemEnvironmentPrivilege 2720 WMIC.exe Token: SeRemoteShutdownPrivilege 2720 WMIC.exe Token: SeUndockPrivilege 2720 WMIC.exe Token: SeManageVolumePrivilege 2720 WMIC.exe Token: 33 2720 WMIC.exe Token: 34 2720 WMIC.exe Token: 35 2720 WMIC.exe Token: SeBackupPrivilege 2336 vssvc.exe Token: SeRestorePrivilege 2336 vssvc.exe Token: SeAuditPrivilege 2336 vssvc.exe Token: SeDebugPrivilege 2544 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mshta.exepid process 2848 mshta.exe 2848 mshta.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.execmd.execmd.exedescription pid process target process PID 2392 wrote to memory of 1644 2392 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe PID 2392 wrote to memory of 1644 2392 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe PID 2392 wrote to memory of 1644 2392 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe PID 2392 wrote to memory of 1644 2392 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe PID 2392 wrote to memory of 1644 2392 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe PID 2392 wrote to memory of 2668 2392 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe WerFault.exe PID 2392 wrote to memory of 2668 2392 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe WerFault.exe PID 2392 wrote to memory of 2668 2392 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe WerFault.exe PID 2392 wrote to memory of 2668 2392 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe WerFault.exe PID 1644 wrote to memory of 2652 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe cmd.exe PID 1644 wrote to memory of 2652 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe cmd.exe PID 1644 wrote to memory of 2652 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe cmd.exe PID 1644 wrote to memory of 2652 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe cmd.exe PID 2652 wrote to memory of 2720 2652 cmd.exe WMIC.exe PID 2652 wrote to memory of 2720 2652 cmd.exe WMIC.exe PID 2652 wrote to memory of 2720 2652 cmd.exe WMIC.exe PID 1644 wrote to memory of 2848 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe mshta.exe PID 1644 wrote to memory of 2848 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe mshta.exe PID 1644 wrote to memory of 2848 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe mshta.exe PID 1644 wrote to memory of 2848 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe mshta.exe PID 1644 wrote to memory of 2020 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe cmd.exe PID 1644 wrote to memory of 2020 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe cmd.exe PID 1644 wrote to memory of 2020 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe cmd.exe PID 1644 wrote to memory of 2020 1644 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe cmd.exe PID 2020 wrote to memory of 2544 2020 cmd.exe taskkill.exe PID 2020 wrote to memory of 2544 2020 cmd.exe taskkill.exe PID 2020 wrote to memory of 2544 2020 cmd.exe taskkill.exe PID 2020 wrote to memory of 1820 2020 cmd.exe PING.EXE PID 2020 wrote to memory of 1820 2020 cmd.exe PING.EXE PID 2020 wrote to memory of 1820 2020 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe"2⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\_README_.hta"3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 4402⤵
- Program crash
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\Pictures\_README_.htaFilesize
66KB
MD5748b0f07eb2f0d1f799d38054824d064
SHA116c21023ccdb0779cc69a58bacec8414d25704a4
SHA2569efc7c5891a0dd82e359127c9e11fe11666ed31e480adf8e52c6e7864eb47d99
SHA512ac99f6c44f9c839b9bafd34c9a863a34065b0b7a41deb3933949fe1853129fde0d03d36157e7fb24ffc51a979a90881b144dba90986ee2b37a822b588414fd48
-
\Users\Admin\AppData\Local\Temp\nstAAC.tmp\System.dllFilesize
11KB
MD5a4dd044bcd94e9b3370ccf095b31f896
SHA117c78201323ab2095bc53184aa8267c9187d5173
SHA2562e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA51287335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a
-
memory/1644-25-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1644-16-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1644-21-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1644-22-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1644-15-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1644-26-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1644-27-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1644-13-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1644-240-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1644-247-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1644-259-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2392-24-0x00000000025E0000-0x000000000260D000-memory.dmpFilesize
180KB
-
memory/2392-11-0x00000000025E0000-0x000000000260D000-memory.dmpFilesize
180KB