Analysis
-
max time kernel
88s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 14:34
Behavioral task
behavioral1
Sample
a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a10213f39ebaee5cfc32f8eadcf4f5b8
-
SHA1
bbf4e14a844767a50f8dacbfae04076353dc93da
-
SHA256
de8e942bec171e7eb893bc3eda18085e9cec38201cd5afcfbdeb11dfdbe597dc
-
SHA512
ff9588ce2a27453b2b2572af9af8a0c9647688c16acac4c3f24125133b0f7f0275d7090a1ac3d9b43ce07735c50397e32449dc9328ac8bc9a046d07d02adc387
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZd:0UzeyQMS4DqodCnoe+iitjWwwR
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2604 explorer.exe 1232 explorer.exe 1196 spoolsv.exe 2544 spoolsv.exe 2292 spoolsv.exe 1108 spoolsv.exe 1980 spoolsv.exe 1040 spoolsv.exe 2644 spoolsv.exe 580 spoolsv.exe 2040 spoolsv.exe 2308 spoolsv.exe 3068 spoolsv.exe 436 spoolsv.exe 2084 spoolsv.exe 872 spoolsv.exe 2640 spoolsv.exe 824 spoolsv.exe 2144 spoolsv.exe 2668 spoolsv.exe 2896 spoolsv.exe 1976 spoolsv.exe 316 spoolsv.exe 2624 spoolsv.exe 2264 spoolsv.exe 2820 spoolsv.exe 976 spoolsv.exe 2900 spoolsv.exe 1556 spoolsv.exe 2984 spoolsv.exe 3032 spoolsv.exe 520 spoolsv.exe 1800 spoolsv.exe 2672 spoolsv.exe 1388 spoolsv.exe 2028 spoolsv.exe 2508 spoolsv.exe 1484 spoolsv.exe 1692 spoolsv.exe 2148 spoolsv.exe 924 spoolsv.exe 2676 spoolsv.exe 1088 spoolsv.exe 2892 spoolsv.exe 2304 spoolsv.exe 1860 spoolsv.exe 664 spoolsv.exe 1708 spoolsv.exe 2816 spoolsv.exe 524 spoolsv.exe 1128 spoolsv.exe 2384 spoolsv.exe 2340 spoolsv.exe 692 spoolsv.exe 796 spoolsv.exe 852 spoolsv.exe 2032 spoolsv.exe 2756 spoolsv.exe 1648 spoolsv.exe 2140 spoolsv.exe 1368 spoolsv.exe 2744 spoolsv.exe 904 spoolsv.exe 2392 spoolsv.exe -
Loads dropped DLL 64 IoCs
Processes:
a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exeexplorer.exepid process 2648 a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe 2648 a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exedescription pid process target process PID 2228 set thread context of 2648 2228 a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe PID 2604 set thread context of 1232 2604 explorer.exe explorer.exe PID 1196 set thread context of 892 1196 spoolsv.exe spoolsv.exe PID 2544 set thread context of 2132 2544 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exeexplorer.exepid process 2648 a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1232 explorer.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exeexplorer.exespoolsv.exepid process 2648 a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe 2648 a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 1232 explorer.exe 892 spoolsv.exe 892 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exea10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 2228 wrote to memory of 2692 2228 a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe splwow64.exe PID 2228 wrote to memory of 2692 2228 a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe splwow64.exe PID 2228 wrote to memory of 2692 2228 a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe splwow64.exe PID 2228 wrote to memory of 2692 2228 a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe splwow64.exe PID 2228 wrote to memory of 2648 2228 a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe PID 2228 wrote to memory of 2648 2228 a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe PID 2228 wrote to memory of 2648 2228 a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe PID 2228 wrote to memory of 2648 2228 a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe PID 2228 wrote to memory of 2648 2228 a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe PID 2228 wrote to memory of 2648 2228 a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe PID 2648 wrote to memory of 2604 2648 a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe explorer.exe PID 2648 wrote to memory of 2604 2648 a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe explorer.exe PID 2648 wrote to memory of 2604 2648 a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe explorer.exe PID 2648 wrote to memory of 2604 2648 a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe explorer.exe PID 2604 wrote to memory of 1232 2604 explorer.exe explorer.exe PID 2604 wrote to memory of 1232 2604 explorer.exe explorer.exe PID 2604 wrote to memory of 1232 2604 explorer.exe explorer.exe PID 2604 wrote to memory of 1232 2604 explorer.exe explorer.exe PID 2604 wrote to memory of 1232 2604 explorer.exe explorer.exe PID 2604 wrote to memory of 1232 2604 explorer.exe explorer.exe PID 1232 wrote to memory of 1196 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 1196 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 1196 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 1196 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 2544 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 2544 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 2544 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 2544 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 2292 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 2292 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 2292 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 2292 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 1108 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 1108 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 1108 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 1108 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 1980 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 1980 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 1980 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 1980 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 1040 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 1040 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 1040 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 1040 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 2644 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 2644 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 2644 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 2644 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 580 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 580 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 580 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 580 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 2040 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 2040 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 2040 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 2040 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 2308 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 2308 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 2308 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 2308 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 3068 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 3068 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 3068 1232 explorer.exe spoolsv.exe PID 1232 wrote to memory of 3068 1232 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a10213f39ebaee5cfc32f8eadcf4f5b8_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1196 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:892 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1632
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2544 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2132
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2292 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1132
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1108 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2008
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1980 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3736
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3816
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1040 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3764
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2644 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3188
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:580 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3504
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2040 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3788
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2308 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3780
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3068 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3172
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:436 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3864
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2084 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:940
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:872 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4044
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2640 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3244
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:824 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3164
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2144 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2668 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2160
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2896 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1976 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:316 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2624 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2264 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2820 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:976 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2900 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1556 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2984 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3032 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:520 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1800 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2672 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1388 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2028 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2508 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1484 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1692 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2148 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:924 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2676 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1088 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2892 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2304 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1860 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:664 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1708 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2816 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:524 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1128 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2384 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2340 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:692 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:796 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:852 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2032 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2756 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1648 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2140 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1368 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2744 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:904 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2392 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2828 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2164
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1084
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2168
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3560
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1652
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4012
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
56KB
MD5bd72dcf1083b6e22ccbfa0e8e27fb1e0
SHA13fd23d4f14da768da7b8364d74c54932d704e74e
SHA25690f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1
SHA51272360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562
-
Filesize
2.2MB
MD59360c71ad11d5ca6e53c7ec93129ad9a
SHA13c6dc4e0befc3cb1940b9c5d197d92d573bec453
SHA2560e4ab09ca7cdbf25d5a096da43112bbdb4b3374021105b2b1ab291d275819b73
SHA512f646c53ab36d569d752370fdc6ff0537e021e0804c9e6ef5722677c0483ecd2d18afed0ef0ff5e9ac2e5465d63d9c1a56a4e677ead34e19a3d7819730aab43d8
-
Filesize
2.2MB
MD5e2af7405144e3d968b7033bf7fe67ec2
SHA153b17e57815ae5b74d01a4d42415662cf603096e
SHA256cd0515126e53258f49969c8da3a27be2e4884529cdfc0991763f7d38cd2d309a
SHA5121267cb465fba56a030080d43a6fa4dae5f953a733502b8256c5e6f921e3acfdf4ad1d093fa7df8bbc53a735fd83005be3e6f0b5be8ab6853afacbc839b29ae88