Malware Analysis Report

2024-09-09 19:16

Sample ID 240613-vb9fzs1brj
Target a6961f695783bdf9b602551df545cbcd_JaffaCakes118
SHA256 99cd6c5bf2a0bccc76155ae1270c6c65aee26f07373886b90818e43d2947ce98
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99cd6c5bf2a0bccc76155ae1270c6c65aee26f07373886b90818e43d2947ce98

Threat Level: Known bad

The file a6961f695783bdf9b602551df545cbcd_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Sets file execution options in registry

Modifies system executable filetype association

Executes dropped EXE

Loads dropped DLL

Drops startup file

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 16:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 16:50

Reported

2024-06-13 16:52

Platform

win7-20240508-en

Max time kernel

148s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guangd.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wsyscheck.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBCleaner.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiU.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQSC.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UFO.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wsyscheck.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sos.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp2.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1681.lnk C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\r: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\s: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\j: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\e: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\g: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\o: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\i: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\p: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\v: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\k: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\l: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\n: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\u: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\y: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\h: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\w: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\q: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\t: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\z: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\x: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\m: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\uiui8.dll C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened for modification C:\Program Files (x86)\Common Files C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\uiui8.dll C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe"

C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe"

Network

N/A

Files

\Program Files (x86)\Common Files\microsoft shared\explorer.exe

MD5 a6961f695783bdf9b602551df545cbcd
SHA1 9d6f35b80e752f24f28821979f164532f46b6ad6
SHA256 99cd6c5bf2a0bccc76155ae1270c6c65aee26f07373886b90818e43d2947ce98
SHA512 9707707a92b9f158f2130362997f86ba0c77160dd19e4a60046566614806a096229d827ff376b819c107ecdec6e0808c8b63f5e38a4986f8cd78601a97dcb4ef

\Program Files (x86)\Common Files\uiui8.dll

MD5 0cbc6b0568209d4ed0a0ff71db4fd13c
SHA1 8a7166784536e6ebe718d82667d2314c42938387
SHA256 d52d74da5230180634f0459f228202dc876c1c2a5661badd170f8308061f1a60
SHA512 4494eb6b4a1363b06b25bcf3504517279dbf99bc35ffc95d98e5f55804148ed1fbc68e99295fbc2971abb6f58d945e0e8d0f17e0e7f7bf9aa746486a580fc343

memory/2040-24-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1988-31-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1988-32-0x0000000000390000-0x000000000039B000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\1681.lnk

MD5 ae342318b288719168082ba3f26d8e33
SHA1 0464e616edc87b677de3e514a5e5baf696ac92ec
SHA256 331939a00efce9cab0dc7e690b7be7de0e3d2378f7ea48640bc80ead177332ec
SHA512 2e7d224df58bdc39395208fae51726c6d7eff76752c1fdc746da3294b159c1b6fbc9440354ff935c41b2d18d6734cfcc6c18fb726b78fc7d73d870a32cebda34

memory/1988-36-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1988-40-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1988-45-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1988-49-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1988-54-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1988-58-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1988-63-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1988-67-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1988-72-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1988-76-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1988-81-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1988-85-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1988-89-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 16:50

Reported

2024-06-13 16:52

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctorMain.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQSC.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDGames.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\799d.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngPS.EXE\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jisu.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp3.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wsyscheck.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravcopy.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiU.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\servet.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmp.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logogo.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TNT.Exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastU3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pagefile.pif\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arswp3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmp.exe\Debugger = "ntsd -d" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1681.lnk C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\k: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\q: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\j: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\o: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\x: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\l: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\p: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\r: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\g: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\h: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\s: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\t: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\u: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\v: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\w: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\m: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\n: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\i: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\y: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened (read-only) \??\z: C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\uiui8.dll C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File created C:\Program Files (x86)\Common Files\uiui8.dll C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
File opened for modification C:\Program Files (x86)\Common Files C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe"

C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe"

Network

Country Destination Domain Proto
US 52.111.229.48:443 tcp

Files

C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe

MD5 a6961f695783bdf9b602551df545cbcd
SHA1 9d6f35b80e752f24f28821979f164532f46b6ad6
SHA256 99cd6c5bf2a0bccc76155ae1270c6c65aee26f07373886b90818e43d2947ce98
SHA512 9707707a92b9f158f2130362997f86ba0c77160dd19e4a60046566614806a096229d827ff376b819c107ecdec6e0808c8b63f5e38a4986f8cd78601a97dcb4ef

C:\Program Files (x86)\Common Files\uiui8.dll

MD5 0cbc6b0568209d4ed0a0ff71db4fd13c
SHA1 8a7166784536e6ebe718d82667d2314c42938387
SHA256 d52d74da5230180634f0459f228202dc876c1c2a5661badd170f8308061f1a60
SHA512 4494eb6b4a1363b06b25bcf3504517279dbf99bc35ffc95d98e5f55804148ed1fbc68e99295fbc2971abb6f58d945e0e8d0f17e0e7f7bf9aa746486a580fc343

memory/4712-23-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2420-29-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2420-30-0x0000000000590000-0x000000000059B000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\1681.lnk

MD5 ae342318b288719168082ba3f26d8e33
SHA1 0464e616edc87b677de3e514a5e5baf696ac92ec
SHA256 331939a00efce9cab0dc7e690b7be7de0e3d2378f7ea48640bc80ead177332ec
SHA512 2e7d224df58bdc39395208fae51726c6d7eff76752c1fdc746da3294b159c1b6fbc9440354ff935c41b2d18d6734cfcc6c18fb726b78fc7d73d870a32cebda34

memory/2420-34-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2420-38-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2420-43-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2420-47-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2420-52-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2420-56-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2420-61-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2420-65-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2420-70-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2420-75-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2420-79-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2420-83-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2420-88-0x0000000000400000-0x000000000042B000-memory.dmp