Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 07:36
Behavioral task
behavioral1
Sample
89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Resource
win7-20240215-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe
-
Size
6.9MB
-
MD5
89c47e27bec5a374476ffaf92ab2b6d2
-
SHA1
6486a7db83b1be2ed5ef7239262d22508d3e075a
-
SHA256
407c70f0c1a1e34503dae74dd973cf037d607e3c4deb8f063d33f2142f1baf71
-
SHA512
f0c65570b230236b2dda4e326122f54b8174fd2d17c6e5c9ddb1b0f80c9733f023ba86252400dc0bc9ee314fb4023bd1dac6fda6297e17fe18493d175f2634bc
-
SSDEEP
98304:kzHf7vmorbC/yNwFC6TJZcE94Kcj3sA/Ibt1YcyDXs:+Hzvpr6FHt4Kc+NIs
Score
10/10
Malware Config
Signatures
-
Glupteba payload 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x000c000000023375-2.dat family_glupteba -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid Process 3100 netsh.exe 4432 netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid Process 4004 csrss.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpringSmoke = "\"C:\\Windows\\rss\\csrss.exe\"" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
Processes:
89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exedescription ioc Process File created C:\Windows\rss\csrss.exe 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe File opened for modification C:\Windows\rss 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.execsrss.exepid Process 3592 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 3592 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 3592 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 3592 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 3592 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 3592 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 3592 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 3592 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 2248 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 2248 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 2248 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 2248 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 2248 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 2248 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 4004 csrss.exe 4004 csrss.exe 4004 csrss.exe 4004 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exedescription pid Process Token: SeDebugPrivilege 3592 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe Token: SeImpersonatePrivilege 3592 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.execmd.execmd.exedescription pid Process procid_target PID 2248 wrote to memory of 2724 2248 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 89 PID 2248 wrote to memory of 2724 2248 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 89 PID 2724 wrote to memory of 4432 2724 cmd.exe 91 PID 2724 wrote to memory of 4432 2724 cmd.exe 91 PID 2248 wrote to memory of 5032 2248 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 93 PID 2248 wrote to memory of 5032 2248 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 93 PID 5032 wrote to memory of 3100 5032 cmd.exe 95 PID 5032 wrote to memory of 3100 5032 cmd.exe 95 PID 2248 wrote to memory of 4004 2248 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 98 PID 2248 wrote to memory of 4004 2248 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 98 PID 2248 wrote to memory of 4004 2248 89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\89c47e27bec5a374476ffaf92ab2b6d2_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:3100
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4004
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.9MB
MD589c47e27bec5a374476ffaf92ab2b6d2
SHA16486a7db83b1be2ed5ef7239262d22508d3e075a
SHA256407c70f0c1a1e34503dae74dd973cf037d607e3c4deb8f063d33f2142f1baf71
SHA512f0c65570b230236b2dda4e326122f54b8174fd2d17c6e5c9ddb1b0f80c9733f023ba86252400dc0bc9ee314fb4023bd1dac6fda6297e17fe18493d175f2634bc