Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29-05-2024 15:51
Static task
static1
Behavioral task
behavioral1
Sample
813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
-
Size
618KB
-
MD5
813f353b1285bcaea41f868746ab9fdd
-
SHA1
301209445bdfd758b1f647bdbcf1609ee07296e7
-
SHA256
ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982
-
SHA512
1ef96e09c43a7c71395112c2a867e60259483585deeb60c122482d4e943b7eef7f432196eb62387655d819d29e8c64c98cf49b04623ff185924135b8aa128d38
-
SSDEEP
12288:LlZyWuK5AwBaCPY5OtC36PdbidyQPdF58SxXnkXnmHuYYOm:WZlwBaCPtC3+e4S1k0D
Malware Config
Extracted
quasar
2.1.0.0
Windows Defender Security
vilvaraj-32652.portmap.io:32652
VNM_MUTEX_XoAJ77Kcpkuyjz4MJK
-
encryption_key
5nIMwmTRG5wyVhouaxGb
-
install_name
Windows Defender Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender Security
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 5 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/2868-7-0x0000000000400000-0x000000000048C000-memory.dmp disable_win_def behavioral1/memory/2868-14-0x0000000000400000-0x000000000048C000-memory.dmp disable_win_def behavioral1/memory/2868-12-0x0000000000400000-0x000000000048C000-memory.dmp disable_win_def behavioral1/memory/2868-10-0x0000000000400000-0x000000000048C000-memory.dmp disable_win_def behavioral1/memory/2868-6-0x0000000000400000-0x000000000048C000-memory.dmp disable_win_def -
Processes:
813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe -
Quasar payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2868-7-0x0000000000400000-0x000000000048C000-memory.dmp family_quasar behavioral1/memory/2868-14-0x0000000000400000-0x000000000048C000-memory.dmp family_quasar behavioral1/memory/2868-12-0x0000000000400000-0x000000000048C000-memory.dmp family_quasar behavioral1/memory/2868-10-0x0000000000400000-0x000000000048C000-memory.dmp family_quasar behavioral1/memory/2868-6-0x0000000000400000-0x000000000048C000-memory.dmp family_quasar -
Executes dropped EXE 9 IoCs
Processes:
Windows Defender Security.exeWindows Defender Security.exeWindows Defender Security.exeWindows Defender Security.exeWindows Defender Security.exeWindows Defender Security.exeWindows Defender Security.exeWindows Defender Security.exeWindows Defender Security.exepid process 2728 Windows Defender Security.exe 2204 Windows Defender Security.exe 2548 Windows Defender Security.exe 2512 Windows Defender Security.exe 2564 Windows Defender Security.exe 1292 Windows Defender Security.exe 2064 Windows Defender Security.exe 1224 Windows Defender Security.exe 2308 Windows Defender Security.exe -
Loads dropped DLL 10 IoCs
Processes:
813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exeWindows Defender Security.exeWerFault.exepid process 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe 2728 Windows Defender Security.exe 2728 Windows Defender Security.exe 2728 Windows Defender Security.exe 2728 Windows Defender Security.exe 2460 WerFault.exe 2460 WerFault.exe 2460 WerFault.exe 2460 WerFault.exe 2460 WerFault.exe -
Processes:
813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\YmExSBNzQt = "C:\\Users\\Admin\\AppData\\Roaming\\fPKDAorSBW\\aTTSPgNpLj.exe" 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exeWindows Defender Security.exeWindows Defender Security.exe813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exedescription pid process target process PID 1916 set thread context of 2868 1916 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe PID 2728 set thread context of 2564 2728 Windows Defender Security.exe Windows Defender Security.exe PID 1292 set thread context of 2308 1292 Windows Defender Security.exe Windows Defender Security.exe PID 752 set thread context of 2212 752 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2460 2564 WerFault.exe Windows Defender Security.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2788 schtasks.exe 2940 schtasks.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Windows Defender Security.exepowershell.exeWindows Defender Security.exeWindows Defender Security.exe813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exepid process 2728 Windows Defender Security.exe 2728 Windows Defender Security.exe 2728 Windows Defender Security.exe 2728 Windows Defender Security.exe 2728 Windows Defender Security.exe 2728 Windows Defender Security.exe 2524 powershell.exe 1292 Windows Defender Security.exe 1292 Windows Defender Security.exe 1292 Windows Defender Security.exe 1292 Windows Defender Security.exe 2308 Windows Defender Security.exe 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe 2212 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exeWindows Defender Security.exeWindows Defender Security.exepowershell.exeWindows Defender Security.exeWindows Defender Security.exe813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe Token: SeDebugPrivilege 2728 Windows Defender Security.exe Token: SeDebugPrivilege 2564 Windows Defender Security.exe Token: SeDebugPrivilege 2524 powershell.exe Token: SeDebugPrivilege 2564 Windows Defender Security.exe Token: SeDebugPrivilege 1292 Windows Defender Security.exe Token: SeDebugPrivilege 2308 Windows Defender Security.exe Token: SeDebugPrivilege 2212 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Defender Security.exepid process 2564 Windows Defender Security.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exeWindows Defender Security.exeWindows Defender Security.execmd.exedescription pid process target process PID 1916 wrote to memory of 2868 1916 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe PID 1916 wrote to memory of 2868 1916 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe PID 1916 wrote to memory of 2868 1916 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe PID 1916 wrote to memory of 2868 1916 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe PID 1916 wrote to memory of 2868 1916 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe PID 1916 wrote to memory of 2868 1916 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe PID 1916 wrote to memory of 2868 1916 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe PID 1916 wrote to memory of 2868 1916 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe PID 1916 wrote to memory of 2868 1916 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe PID 2868 wrote to memory of 2788 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe schtasks.exe PID 2868 wrote to memory of 2788 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe schtasks.exe PID 2868 wrote to memory of 2788 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe schtasks.exe PID 2868 wrote to memory of 2788 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe schtasks.exe PID 2868 wrote to memory of 2728 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe Windows Defender Security.exe PID 2868 wrote to memory of 2728 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe Windows Defender Security.exe PID 2868 wrote to memory of 2728 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe Windows Defender Security.exe PID 2868 wrote to memory of 2728 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe Windows Defender Security.exe PID 2868 wrote to memory of 2524 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe powershell.exe PID 2868 wrote to memory of 2524 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe powershell.exe PID 2868 wrote to memory of 2524 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe powershell.exe PID 2868 wrote to memory of 2524 2868 813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe powershell.exe PID 2728 wrote to memory of 2548 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2728 wrote to memory of 2548 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2728 wrote to memory of 2548 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2728 wrote to memory of 2548 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2728 wrote to memory of 2204 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2728 wrote to memory of 2204 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2728 wrote to memory of 2204 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2728 wrote to memory of 2204 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2728 wrote to memory of 2512 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2728 wrote to memory of 2512 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2728 wrote to memory of 2512 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2728 wrote to memory of 2512 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2728 wrote to memory of 2564 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2728 wrote to memory of 2564 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2728 wrote to memory of 2564 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2728 wrote to memory of 2564 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2728 wrote to memory of 2564 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2728 wrote to memory of 2564 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2728 wrote to memory of 2564 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2728 wrote to memory of 2564 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2728 wrote to memory of 2564 2728 Windows Defender Security.exe Windows Defender Security.exe PID 2564 wrote to memory of 2940 2564 Windows Defender Security.exe schtasks.exe PID 2564 wrote to memory of 2940 2564 Windows Defender Security.exe schtasks.exe PID 2564 wrote to memory of 2940 2564 Windows Defender Security.exe schtasks.exe PID 2564 wrote to memory of 2940 2564 Windows Defender Security.exe schtasks.exe PID 2564 wrote to memory of 1612 2564 Windows Defender Security.exe cmd.exe PID 2564 wrote to memory of 1612 2564 Windows Defender Security.exe cmd.exe PID 2564 wrote to memory of 1612 2564 Windows Defender Security.exe cmd.exe PID 2564 wrote to memory of 1612 2564 Windows Defender Security.exe cmd.exe PID 2564 wrote to memory of 2460 2564 Windows Defender Security.exe WerFault.exe PID 2564 wrote to memory of 2460 2564 Windows Defender Security.exe WerFault.exe PID 2564 wrote to memory of 2460 2564 Windows Defender Security.exe WerFault.exe PID 2564 wrote to memory of 2460 2564 Windows Defender Security.exe WerFault.exe PID 1612 wrote to memory of 1540 1612 cmd.exe chcp.com PID 1612 wrote to memory of 1540 1612 cmd.exe chcp.com PID 1612 wrote to memory of 1540 1612 cmd.exe chcp.com PID 1612 wrote to memory of 1540 1612 cmd.exe chcp.com PID 1612 wrote to memory of 2396 1612 cmd.exe PING.EXE PID 1612 wrote to memory of 2396 1612 cmd.exe PING.EXE PID 1612 wrote to memory of 2396 1612 cmd.exe PING.EXE PID 1612 wrote to memory of 2396 1612 cmd.exe PING.EXE PID 1612 wrote to memory of 1292 1612 cmd.exe Windows Defender Security.exe PID 1612 wrote to memory of 1292 1612 cmd.exe Windows Defender Security.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Defender Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2788 -
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"4⤵
- Executes dropped EXE
PID:2548 -
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"4⤵
- Executes dropped EXE
PID:2204 -
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"4⤵
- Executes dropped EXE
PID:2512 -
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Defender Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:2940 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BVPHdEHRPMhT.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\chcp.comchcp 650016⤵PID:1540
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:2396 -
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292 -
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"7⤵
- Executes dropped EXE
PID:1224 -
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"7⤵
- Executes dropped EXE
PID:2064 -
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 14685⤵
- Loads dropped DLL
- Program crash
PID:2460 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵PID:2684
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵PID:576
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XD7tDiXpWjxx.bat" "3⤵PID:2384
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:1764
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe"4⤵
- Suspicious use of SetThreadContext
PID:752 -
C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD576226eeb4eb0b9d7aa482eeef3d049fa
SHA1d9e8c59757018d85e1932831b23a28186222507f
SHA2567f6efa931854c0f5400e8cc4a828af4fe26cc4b10bb5f4da1883b0abffc56efc
SHA5129a11d4cfe3d290a1508532dd5cdbf18ed1240fac0377f84bd2835bde04a00112268a60bab6c274406cd773a1c402d408462c33b9d25d288af50b0a2c9dc9e787
-
Filesize
243B
MD5304176c8d670b08df6c6f5344e5fdee7
SHA10c4f618cc813cd66c05d0b8a4e31121bfd4b5cd3
SHA25678cae96ffb8032f1d4ec5e1a70de697baa508d0eb0c660f39a4fd08b3847171d
SHA512e8be96d5f1197c865651517db8886c6e50b0a665620a2159c017007cc4e2b5a1f3bf6fb28f34f786d34d64325bc4572f01962ee4aafd96b889da86d82da07b5d
-
Filesize
618KB
MD5813f353b1285bcaea41f868746ab9fdd
SHA1301209445bdfd758b1f647bdbcf1609ee07296e7
SHA256ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982
SHA5121ef96e09c43a7c71395112c2a867e60259483585deeb60c122482d4e943b7eef7f432196eb62387655d819d29e8c64c98cf49b04623ff185924135b8aa128d38