a52ba33e7b386e933d1a6ae99f257315935d4c68cd21f91e987d327683f9c990

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
Size

8.8MB
MD5

6d2252d1f81e4a89059e7fbf6d4d0ecf
SHA1

fd182a7b2236b0bf447ac940d26b230fc75c54f3
SHA256

a52ba33e7b386e933d1a6ae99f257315935d4c68cd21f91e987d327683f9c990
SHA512

cfa5ead005026c01a3a72eca8d1a50ccce02283146f6e6ba99945d3e25879b7314a392cb342e8018b860b16dc10ff6db08168815a4fad84a49f9cb43f4676871
SSDEEP

196608:EwWfZ4PDKMxSIFQColSp5oNeW7f9VBQWwigouggCJEmvPjUide:1WfZ47X4QolSXglfiouggC2m4D

Score

10^/10

discovery evasion execution persistence spyware stealer trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

8ee6796fc598357c07c57f24be8e0f8d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\c:\program files\0284cc8d6dbf9d5c14e9e63be1b26083\ = "0"	8ee6796fc598357c07c57f24be8e0f8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers\e848c604cacf2a9936e35d2dcd3d9833.sys = "0"	8ee6796fc598357c07c57f24be8e0f8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\3093031d785cfc55a52c5cc7e7778775.exe = "0"	8ee6796fc598357c07c57f24be8e0f8d.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Drops file in Drivers directory 1 IoCs

Processes:

6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe

description ioc process

File created C:\Windows\system32\drivers\e848c604cacf2a9936e35d2dcd3d9833.sys 6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 3 IoCs

Processes:

nsy2417.tmp8ee6796fc598357c07c57f24be8e0f8d.exe8ee6796fc598357c07c57f24be8e0f8d.exe

pid process

2492 nsy2417.tmp
1556 8ee6796fc598357c07c57f24be8e0f8d.exe
1092 8ee6796fc598357c07c57f24be8e0f8d.exe

description	ioc	process
File created	C:\Windows\system32\drivers\e848c604cacf2a9936e35d2dcd3d9833.sys	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe

pid	process
2492	nsy2417.tmp
1556	8ee6796fc598357c07c57f24be8e0f8d.exe
1092	8ee6796fc598357c07c57f24be8e0f8d.exe

Loads dropped DLL 64 IoCs

Processes:

6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exensy2417.tmp

pid	process
2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp
2492	nsy2417.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

8ee6796fc598357c07c57f24be8e0f8d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\c:\program files\0284cc8d6dbf9d5c14e9e63be1b26083\ = "0"	8ee6796fc598357c07c57f24be8e0f8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers\e848c604cacf2a9936e35d2dcd3d9833.sys = "0"	8ee6796fc598357c07c57f24be8e0f8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\3093031d785cfc55a52c5cc7e7778775.exe = "0"	8ee6796fc598357c07c57f24be8e0f8d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 8 IoCs

Processes:

8ee6796fc598357c07c57f24be8e0f8d.exe

description	ioc	process
File opened for modification	C:\Windows\System32\SSL	8ee6796fc598357c07c57f24be8e0f8d.exe
File opened for modification	C:\Windows\System32\SSL\cert.db	8ee6796fc598357c07c57f24be8e0f8d.exe
File created	C:\Windows\System32\SSL\cert.db	8ee6796fc598357c07c57f24be8e0f8d.exe
File opened for modification	C:\Windows\System32\SSL\x.db	8ee6796fc598357c07c57f24be8e0f8d.exe
File opened for modification	C:\Windows\System32\SSL\xtls.db	8ee6796fc598357c07c57f24be8e0f8d.exe
File opened for modification	C:\Windows\System32\SSL\xv.db	8ee6796fc598357c07c57f24be8e0f8d.exe
File opened for modification	C:\Windows\System32\SSL\492c19fbdad3028c.cer	8ee6796fc598357c07c57f24be8e0f8d.exe
File created	C:\Windows\System32\__00000001409DC4C1__C0000005.dmp	8ee6796fc598357c07c57f24be8e0f8d.exe

Drops file in Program Files directory 8 IoCs

Processes:

6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\0284cc8d6dbf9d5c14e9e63be1b26083\8ee6796fc598357c07c57f24be8e0f8d.exe	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
File created	C:\Program Files\0284cc8d6dbf9d5c14e9e63be1b26083\9713106bb351f16790db9228bfdc7770.exe	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
File created	C:\Program Files\0284cc8d6dbf9d5c14e9e63be1b26083\3093031d785cfc55a52c5cc7e7778775.exe	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
File created	C:\Program Files\0284cc8d6dbf9d5c14e9e63be1b26083\5aa11ecb0b54d929a417b8a011963f26\de2bc136a2989b32f980cc423e4a2590.ico	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
File created	C:\Program Files\0284cc8d6dbf9d5c14e9e63be1b26083\5aa11ecb0b54d929a417b8a011963f26\f27ee287e6502c55aedfa6ba0dc9d12c.ico	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
File created	C:\Program Files\0284cc8d6dbf9d5c14e9e63be1b26083\5aa11ecb0b54d929a417b8a011963f26\e8fe937e261497e543ac13864fedc5c9.ico	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
File created	C:\Program Files\0284cc8d6dbf9d5c14e9e63be1b26083\de2bc136a2989b32f980cc423e4a2590.ico	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
File created	C:\Program Files\0284cc8d6dbf9d5c14e9e63be1b26083\8d0d6f1add393ab2fe77f138ba98c1b2	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

Processes:

8ee6796fc598357c07c57f24be8e0f8d.exe6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\system32	8ee6796fc598357c07c57f24be8e0f8d.exe
File created	C:\Windows\3093031d785cfc55a52c5cc7e7778775.exe	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2560 sc.exe
1732 sc.exe
2712 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2564 tasklist.exe

pid	process
2560	sc.exe
1732	sc.exe
2712	sc.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

nsy2417.tmp8ee6796fc598357c07c57f24be8e0f8d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings	nsy2417.tmp
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	nsy2417.tmp
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	nsy2417.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	8ee6796fc598357c07c57f24be8e0f8d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	8ee6796fc598357c07c57f24be8e0f8d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	nsy2417.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	nsy2417.tmp
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	nsy2417.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	8ee6796fc598357c07c57f24be8e0f8d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	8ee6796fc598357c07c57f24be8e0f8d.exe

Modifies registry class 9 IoCs

Processes:

nsy2417.tmp8ee6796fc598357c07c57f24be8e0f8d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings	nsy2417.tmp
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Software\Microsoft	nsy2417.tmp
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion	nsy2417.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	nsy2417.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\56BF5154-0B48-4ADB-902A-6C8B12E270D9	8ee6796fc598357c07c57f24be8e0f8d.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Software	nsy2417.tmp
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Software\Microsoft\Windows	nsy2417.tmp
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Internet Settings	nsy2417.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\56BF5154-0B48-4ADB-902A-6C8B12E270D9\LocalService = "0284cc8d6dbf9d5c14e9e63be1b26083"	8ee6796fc598357c07c57f24be8e0f8d.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

8ee6796fc598357c07c57f24be8e0f8d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B22F6DE932BFA17DF53A9E313C8B8767AED45B66	8ee6796fc598357c07c57f24be8e0f8d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B22F6DE932BFA17DF53A9E313C8B8767AED45B66\Blob = 030000000100000014000000b22f6de932bfa17df53a9e313c8b8767aed45b6620000000010000006e0300003082036a30820252a0030201020211008aec0d51654c03180a8850645fceb45f300d06092a864886f70d01010b0500305d3133303106092a864886f70d0109011624696e666f40746563686e6f6c6f67696561647269656e70726f76656e636865722e636f6d310b300906035504061302454e3119301706035504030c10343932633139666264616433303238633020170d3034303532393033303331345a180f32303634303531343033303331345a305d3133303106092a864886f70d0109011624696e666f40746563686e6f6c6f67696561647269656e70726f76656e636865722e636f6d310b300906035504061302454e3119301706035504030c103439326331396662646164333032386330820122300d06092a864886f70d01010105000382010f003082010a0282010100d102fac59471f2454e80b9ee0861ed6bc62c3adfc79948a74cab6431221d7b71df61aa005a245e6c3327cda20d5c08adb0d221feb6341439cede4d10d764e688b7eabc1894335631312cf2bb7018c589ba265131a95e54f5632f511c7f64f87025a21b0f37aaf37258301de0e6985740c2bc17b760f47b6ce2abce7c04bff132729f8d8813a4a627589f2add6ff03882c301b842988c8437cf996bac4b8052ba490037f68e5c534c9ede75ed439b281ad72ce839e02e73464b10929aa8d1b67302beb4e67d5bb38bfca987818ffe16130e77dc73b89a042671727239f9c7b1dad7e1b249c30f51a713dd9dd7f7eba4617c90ae2c806af2cec304d8759e219fe10203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101009a767ee06b0d41eb2c0bd229a5f4cf734a80adeb1593e4b28696435f0377431853bc91f8bb8ade76f99909ccf7ee2c7d9c49fa30deddc81688ad49deef39915e26cbef06a05a088937bb31b24d629a9b46821762d1be086d068148be39cd987ade2268ee3f0ebe6ec51a840a210ad999519dd51098d25a37d39b2860aabeb35bfb750fcd0bf27f90fc01b4f023447e100db8f19f0ac0d8ab613dc8349710ebb2f56899377bf215a106a56ae39ceac559ee7bfa0c0415224281582599df801a535327c63e58a56fd4d678a18a9315468ad2893bec5f47ee965eec7711df8a16881e62d87ec0bc355785deb2bd46714571af48f4a53f15c5c3656da317818644d7	8ee6796fc598357c07c57f24be8e0f8d.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

tasklist.exe8ee6796fc598357c07c57f24be8e0f8d.exe

pid	process
2564	tasklist.exe
2564	tasklist.exe
1092	8ee6796fc598357c07c57f24be8e0f8d.exe
1092	8ee6796fc598357c07c57f24be8e0f8d.exe
1092	8ee6796fc598357c07c57f24be8e0f8d.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

480
480

pid	process
480
480

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exeWMIC.exensy2417.tmp

description	pid	process
Token: SeDebugPrivilege	2564	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2588	WMIC.exe
Token: SeSecurityPrivilege	2588	WMIC.exe
Token: SeTakeOwnershipPrivilege	2588	WMIC.exe
Token: SeLoadDriverPrivilege	2588	WMIC.exe
Token: SeSystemProfilePrivilege	2588	WMIC.exe
Token: SeSystemtimePrivilege	2588	WMIC.exe
Token: SeProfSingleProcessPrivilege	2588	WMIC.exe
Token: SeIncBasePriorityPrivilege	2588	WMIC.exe
Token: SeCreatePagefilePrivilege	2588	WMIC.exe
Token: SeBackupPrivilege	2588	WMIC.exe
Token: SeRestorePrivilege	2588	WMIC.exe
Token: SeShutdownPrivilege	2588	WMIC.exe
Token: SeDebugPrivilege	2588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2588	WMIC.exe
Token: SeRemoteShutdownPrivilege	2588	WMIC.exe
Token: SeUndockPrivilege	2588	WMIC.exe
Token: SeManageVolumePrivilege	2588	WMIC.exe
Token: 33	2588	WMIC.exe
Token: 34	2588	WMIC.exe
Token: 35	2588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2588	WMIC.exe
Token: SeSecurityPrivilege	2588	WMIC.exe
Token: SeTakeOwnershipPrivilege	2588	WMIC.exe
Token: SeLoadDriverPrivilege	2588	WMIC.exe
Token: SeSystemProfilePrivilege	2588	WMIC.exe
Token: SeSystemtimePrivilege	2588	WMIC.exe
Token: SeProfSingleProcessPrivilege	2588	WMIC.exe
Token: SeIncBasePriorityPrivilege	2588	WMIC.exe
Token: SeCreatePagefilePrivilege	2588	WMIC.exe
Token: SeBackupPrivilege	2588	WMIC.exe
Token: SeRestorePrivilege	2588	WMIC.exe
Token: SeShutdownPrivilege	2588	WMIC.exe
Token: SeDebugPrivilege	2588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2588	WMIC.exe
Token: SeRemoteShutdownPrivilege	2588	WMIC.exe
Token: SeUndockPrivilege	2588	WMIC.exe
Token: SeManageVolumePrivilege	2588	WMIC.exe
Token: 33	2588	WMIC.exe
Token: 34	2588	WMIC.exe
Token: 35	2588	WMIC.exe
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp
Token: SeRestorePrivilege	2492	nsy2417.tmp

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.execmd.execmd.exensy2417.tmp

description	pid	process	target process
PID 2972 wrote to memory of 2984	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 2984	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 2984	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 2984	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	cmd.exe
PID 2984 wrote to memory of 1660	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 1660	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 1660	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 1660	2984	cmd.exe	cmd.exe
PID 1660 wrote to memory of 2564	1660	cmd.exe	tasklist.exe
PID 1660 wrote to memory of 2564	1660	cmd.exe	tasklist.exe
PID 1660 wrote to memory of 2564	1660	cmd.exe	tasklist.exe
PID 1660 wrote to memory of 2564	1660	cmd.exe	tasklist.exe
PID 2984 wrote to memory of 2588	2984	cmd.exe	WMIC.exe
PID 2984 wrote to memory of 2588	2984	cmd.exe	WMIC.exe
PID 2984 wrote to memory of 2588	2984	cmd.exe	WMIC.exe
PID 2984 wrote to memory of 2588	2984	cmd.exe	WMIC.exe
PID 2972 wrote to memory of 2492	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	nsy2417.tmp
PID 2972 wrote to memory of 2492	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	nsy2417.tmp
PID 2972 wrote to memory of 2492	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	nsy2417.tmp
PID 2972 wrote to memory of 2492	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	nsy2417.tmp
PID 2972 wrote to memory of 2492	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	nsy2417.tmp
PID 2972 wrote to memory of 2492	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	nsy2417.tmp
PID 2972 wrote to memory of 2492	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	nsy2417.tmp
PID 2492 wrote to memory of 2560	2492	nsy2417.tmp	sc.exe
PID 2492 wrote to memory of 2560	2492	nsy2417.tmp	sc.exe
PID 2492 wrote to memory of 2560	2492	nsy2417.tmp	sc.exe
PID 2492 wrote to memory of 2560	2492	nsy2417.tmp	sc.exe
PID 2492 wrote to memory of 2560	2492	nsy2417.tmp	sc.exe
PID 2492 wrote to memory of 2560	2492	nsy2417.tmp	sc.exe
PID 2492 wrote to memory of 2560	2492	nsy2417.tmp	sc.exe
PID 2972 wrote to memory of 1732	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	sc.exe
PID 2972 wrote to memory of 1732	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	sc.exe
PID 2972 wrote to memory of 1732	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	sc.exe
PID 2972 wrote to memory of 1732	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	sc.exe
PID 2972 wrote to memory of 2712	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	sc.exe
PID 2972 wrote to memory of 2712	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	sc.exe
PID 2972 wrote to memory of 2712	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	sc.exe
PID 2972 wrote to memory of 2712	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	sc.exe
PID 2972 wrote to memory of 1556	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	8ee6796fc598357c07c57f24be8e0f8d.exe
PID 2972 wrote to memory of 1556	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	8ee6796fc598357c07c57f24be8e0f8d.exe
PID 2972 wrote to memory of 1556	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	8ee6796fc598357c07c57f24be8e0f8d.exe
PID 2972 wrote to memory of 1556	2972	6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe	8ee6796fc598357c07c57f24be8e0f8d.exe

C:\Users\Admin\AppData\Local\Temp\6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\GetSID.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq explorer.exe" /FO LIST /V
3⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq explorer.exe" /FO LIST /V
4⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' get sid
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Users\Admin\AppData\Local\Temp\nsy2417.tmp
"C:\Users\Admin\AppData\Local\Temp\nsy2417.tmp" /S /UPDATE /NAME ${UppFolderName} /SID S-1-5-21-3452737119-3959686427-228443150-1000 _?=C:\Users\Admin\AppData\Local\Temp
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\sc.exe
sc delete "0"
3⤵
- Launches sc.exe
PID:2560

C:\Windows\SysWOW64\sc.exe
sc create e848c604cacf2a9936e35d2dcd3d9833 binpath= C:\Windows\system32\drivers\e848c604cacf2a9936e35d2dcd3d9833.sys DisplayName= e848c604cacf2a9936e35d2dcd3d9833 type= kernel start= system group= PNP_TDI
2⤵
- Launches sc.exe
PID:1732

C:\Windows\SysWOW64\sc.exe
sc start e848c604cacf2a9936e35d2dcd3d9833
2⤵
- Launches sc.exe
PID:2712

C:\Program Files\0284cc8d6dbf9d5c14e9e63be1b26083\8ee6796fc598357c07c57f24be8e0f8d.exe
"C:\Program Files\0284cc8d6dbf9d5c14e9e63be1b26083\8ee6796fc598357c07c57f24be8e0f8d.exe" --install
2⤵
- Executes dropped EXE
- Modifies registry class
PID:1556

C:\Program Files\0284cc8d6dbf9d5c14e9e63be1b26083\8ee6796fc598357c07c57f24be8e0f8d.exe
"C:\Program Files\0284cc8d6dbf9d5c14e9e63be1b26083\8ee6796fc598357c07c57f24be8e0f8d.exe"
1⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetSID.bat
Filesize
318B

MD5
e30dcd7ebbf471ece9b52809f7bf0b8f

SHA1
fbcfcea872f8aa30b4802fc41c46028e8da064d5

SHA256
c3738c586b10a499f7a528e6405e2309c4988d360de57f42169ca51e94537478

SHA512
72d169d9506f4ff7024e79e1e5a676f5d85311bc28ca92119f83bbb761a83cc4389adb8baf8c91aa039782a4a96e5ce747bd472981a8d80e72f3fcf8c238ea79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd24D0.tmp\nsisos.dll
Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1EC9.tmp\brh.dll
Filesize
840KB

MD5
355c877b0a9c80d27eca9a480bf5fd5d

SHA1
af1d07a1d11d7f3e24d84324cc0cf70849da9338

SHA256
2e484b9053b5e155608fd10da190d4ee92c2286eea2a3f2ee6c564f24e8c1bba

SHA512
b2f115824617c9c23ef9df3b89f0cba6852071cd997ecb543cf1ca9c72fdefa636a74d25393c70c4ae2f602f499d5704c0917e8036c81537f8e07f0c0ee50250

Download Submit
\Users\Admin\AppData\Local\Temp\nsd24D0.tmp\NSISList.dll
Filesize
97KB

MD5
2e0785f18f8714393bc4bc1fe170eadf

SHA1
1efba431c0fac46c6cb6f60dc08f65a0e23ccf3d

SHA256
e68d65626b24e7c1f6fbe1001f43174d0243095181025736f37ad704662f4351

SHA512
8a272bb264fa066960a4f34411a81652839eccdbc6fa25be20c0b94d7d10b16cb568338abb5d1a96c155cbc4bc7923d0387fa36bed69c1021296cc6cc5fbb45e

Download Submit
\Users\Admin\AppData\Local\Temp\nsd24D0.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsd24D0.tmp\StdUtils.dll
Filesize
94KB

MD5
9be4857761626998d1522c623058b2d0

SHA1
054c7d13400117f8b4accc2cba2bca5f976baa70

SHA256
8717e451286278ba07a15197f0292de2fd90487a9f78ad00b28f5d6b6ea2c8c9

SHA512
8bca7b46a3f1d8b11a8690b02e3802428b310693f090a4ddfb397249b4f5ce9ff6112d0f2a85f89ac5eb75133035bcb111cac8bc6cb18ad9875d17122834d81c

Download Submit
\Users\Admin\AppData\Local\Temp\nst1EC9.tmp\MoreInfo.dll
Filesize
7KB

MD5
80e34b7f576b710d100f6e7c0bed0c2e

SHA1
2b5b895034d41ee0d0d01bf650594ad0d1346662

SHA256
569d62345f6c915236772fa2575d1806cd2bfe089505807cb477618f1eeccf99

SHA512
f5970c192b7089040fd1cf26e5cab131879b91722dff0216cdc735f9cfde1eda061409b579eb0f11e3b32e5513e34bbedd4050b75bb1b2acc81be814c2c6c59b

Download Submit
\Users\Admin\AppData\Local\Temp\nst1EC9.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nst1EC9.tmp\inetc.dll
Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nst1EC9.tmp\md5dll.dll
Filesize
8KB

MD5
97960d7a18662dac9cd80a8c5e3c794b

SHA1
4c28449cefa9af46bb7a63e9b9ea66a2de0ea287

SHA256
e0d1dc6e4c5cc13fb2db08fc741da0d08b315ebc8d3b53baa61552625d19b9c3

SHA512
1baab7b5378f3a396b31bf63b01b7905759c9f1d17d71882af63338d64eceda1884c947d93e4d9ef911bded1ef061043c873a88b8272f1aa296731aa745e756c

Download Submit
\Users\Admin\AppData\Local\Temp\nst1EC9.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2417.tmp
Filesize
3.8MB

MD5
7ede9c63f9a5134eb50eb928c0c5aabf

SHA1
86d2cf7837cd460043835e8661ae5239c6f59fb3

SHA256
fdc3ac6e64545a4d500e7649203c9fe058c571065e98ae8a0002524879ba3c77

SHA512
7786a98dd74b769bae06e8679b093c134adffeb9bb29d89fc716498fcb900e000c320bfca178610126d5f6a3eeb9a450ac9ea0c8d292a7e6e01ccecd109a9389

Download Submit
memory/1092-2595-0x000000013FED0000-0x0000000140CE6000-memory.dmp

Filesize
14.1MB

Download
memory/1092-2600-0x000000013FED0000-0x0000000140CE6000-memory.dmp

Filesize
14.1MB

Download
memory/1556-2586-0x000000013F6D0000-0x00000001404E6000-memory.dmp

Filesize
14.1MB

Download
memory/1556-2587-0x000000013F6D0000-0x00000001404E6000-memory.dmp

Filesize
14.1MB

Download
memory/2492-67-0x0000000001000000-0x000000000101D000-memory.dmp

Filesize
116KB

Download
memory/2492-73-0x0000000001020000-0x0000000001033000-memory.dmp

Filesize
76KB

Download
memory/2972-29-0x0000000074420000-0x00000000744F8000-memory.dmp

Filesize
864KB

Download
memory/2972-2585-0x0000000004460000-0x0000000005276000-memory.dmp

Filesize
14.1MB

Download
memory/2972-2603-0x0000000074420000-0x00000000744F8000-memory.dmp

Filesize
864KB

Download
memory/2972-2604-0x0000000004460000-0x0000000005276000-memory.dmp

Filesize
14.1MB

Download
memory/2972-2680-0x0000000074420000-0x0000000074464000-memory.dmp

Filesize
272KB

Download