Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 09:31
Behavioral task
behavioral1
Sample
a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a8fa3c57ab33dd66ba742d49a0e9cd7b
-
SHA1
1ac207291937059c22d65b3264460ffec694debd
-
SHA256
d8ea3aa3bda006bb7ead336e77a992f59b9fdb81466a4f1eda0c2958c277615f
-
SHA512
3d8450cea05047c9eb1e7eccc5104134d33caf8141f50874a2b5d42f5e5404ed3fdfd83c1c71ded0e818eee75bc47b26db6b670b5c9c028a42ba0274243c70ff
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZg:0UzeyQMS4DqodCnoe+iitjWwwE
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe -
Executes dropped EXE 60 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2480 explorer.exe 2752 explorer.exe 2788 spoolsv.exe 2816 spoolsv.exe 2100 spoolsv.exe 2348 spoolsv.exe 1076 spoolsv.exe 2420 spoolsv.exe 2040 spoolsv.exe 520 spoolsv.exe 480 spoolsv.exe 872 spoolsv.exe 1144 spoolsv.exe 1140 spoolsv.exe 1880 spoolsv.exe 2140 spoolsv.exe 2944 spoolsv.exe 2524 spoolsv.exe 2548 spoolsv.exe 1248 spoolsv.exe 432 spoolsv.exe 1780 spoolsv.exe 2900 spoolsv.exe 2720 spoolsv.exe 3056 spoolsv.exe 1644 spoolsv.exe 2500 spoolsv.exe 960 spoolsv.exe 2144 spoolsv.exe 2672 spoolsv.exe 3060 spoolsv.exe 2008 spoolsv.exe 2704 spoolsv.exe 1532 spoolsv.exe 1892 spoolsv.exe 2956 spoolsv.exe 1408 spoolsv.exe 1912 spoolsv.exe 1352 spoolsv.exe 996 spoolsv.exe 2636 spoolsv.exe 2780 spoolsv.exe 2044 spoolsv.exe 880 spoolsv.exe 2684 spoolsv.exe 556 spoolsv.exe 2260 spoolsv.exe 2820 spoolsv.exe 2620 spoolsv.exe 1740 spoolsv.exe 1812 spoolsv.exe 2004 spoolsv.exe 1960 spoolsv.exe 1636 spoolsv.exe 3064 spoolsv.exe 2592 spoolsv.exe 1072 spoolsv.exe 2796 spoolsv.exe 2476 spoolsv.exe 1184 spoolsv.exe -
Loads dropped DLL 64 IoCs
Processes:
a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exeexplorer.exepid process 2740 a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe 2740 a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exeexplorer.exedescription pid process target process PID 2040 set thread context of 2740 2040 a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe PID 2480 set thread context of 2752 2480 explorer.exe explorer.exe -
Drops file in Windows directory 62 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exeexplorer.exepid process 2740 a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2752 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exeexplorer.exepid process 2740 a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe 2740 a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exea8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 2040 wrote to memory of 2232 2040 a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe splwow64.exe PID 2040 wrote to memory of 2232 2040 a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe splwow64.exe PID 2040 wrote to memory of 2232 2040 a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe splwow64.exe PID 2040 wrote to memory of 2232 2040 a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe splwow64.exe PID 2040 wrote to memory of 2740 2040 a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe PID 2040 wrote to memory of 2740 2040 a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe PID 2040 wrote to memory of 2740 2040 a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe PID 2040 wrote to memory of 2740 2040 a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe PID 2040 wrote to memory of 2740 2040 a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe PID 2040 wrote to memory of 2740 2040 a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe PID 2740 wrote to memory of 2480 2740 a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe explorer.exe PID 2740 wrote to memory of 2480 2740 a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe explorer.exe PID 2740 wrote to memory of 2480 2740 a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe explorer.exe PID 2740 wrote to memory of 2480 2740 a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe explorer.exe PID 2480 wrote to memory of 2752 2480 explorer.exe explorer.exe PID 2480 wrote to memory of 2752 2480 explorer.exe explorer.exe PID 2480 wrote to memory of 2752 2480 explorer.exe explorer.exe PID 2480 wrote to memory of 2752 2480 explorer.exe explorer.exe PID 2480 wrote to memory of 2752 2480 explorer.exe explorer.exe PID 2480 wrote to memory of 2752 2480 explorer.exe explorer.exe PID 2752 wrote to memory of 2788 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2788 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2788 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2788 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2816 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2816 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2816 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2816 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2100 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2100 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2100 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2100 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2348 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2348 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2348 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2348 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 1076 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 1076 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 1076 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 1076 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2420 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2420 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2420 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2420 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2040 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2040 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2040 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 2040 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 520 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 520 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 520 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 520 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 480 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 480 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 480 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 480 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 872 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 872 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 872 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 872 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 1144 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 1144 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 1144 2752 explorer.exe spoolsv.exe PID 2752 wrote to memory of 1144 2752 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Local\Temp\a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8fa3c57ab33dd66ba742d49a0e9cd7b_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Parameters.iniMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\Parameters.iniFilesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
\Windows\system\explorer.exeFilesize
2.2MB
MD5155e4e477e5e5ea924d499c97ce7a809
SHA14b471cb1a851742a3061a5297aeb4b8cd6a778ce
SHA256bdc7e9b4b5bc89f7d25de4252489fbc1729f760b7826c124067ebc73b90b5640
SHA512b2f448850e745ca312605485c84ec0e428a62c3c3feccd55658e9473250c147e2c432ddf46bc2365f3d3af55077edc1e3d5326fd8b4d1d97238e4c5d628325ae
-
\Windows\system\spoolsv.exeFilesize
2.2MB
MD55d5155ef550d5fc0b7502034228d939f
SHA11eb8aee66dd8a1c8aefafc50c714a5eb559baad3
SHA256439b33a3b23e61195c278aea4dbc1324a608a2cf623edcc14344cc6deddc689b
SHA512c7b77220c3254bbc2099682d350d05edc47711a0bc3618c86b871e2fb180f08dbeb49b4e70a9227ea14128e4c8e666d042db75fcbb49a2f4ec649921074c8c34
-
memory/432-1595-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/480-1445-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/520-1444-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/872-1446-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/960-2024-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1056-2731-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1076-1243-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1140-1448-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1144-1447-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1248-1594-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1644-1812-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1680-2604-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1780-1798-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1828-2368-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1880-1449-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2008-2249-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2040-17-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2040-0-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2040-19-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2040-1245-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2040-29-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2084-2352-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2100-1011-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2140-1450-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2144-2025-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2152-2403-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2348-1242-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2420-1244-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2480-61-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2480-42-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2480-71-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2500-2023-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2524-1592-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2548-1593-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2672-2026-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2720-1810-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2740-28-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2740-50-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2740-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2740-24-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2740-49-0x0000000000440000-0x000000000051F000-memory.dmpFilesize
892KB
-
memory/2740-20-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2752-1008-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2788-1009-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2816-1010-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2896-2379-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2896-2326-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2900-1809-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2944-1591-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3056-1811-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3060-2027-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3288-2415-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3364-2628-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3424-2427-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3576-2932-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3792-2881-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3928-3108-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3988-2533-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4004-2530-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB