Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20/06/2024, 02:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe
-
Size
186KB
-
MD5
01edfc8deea1b56fd6930db05a7dd293
-
SHA1
ed9ff4c19d14afbcefacd92005b47f78a279d69d
-
SHA256
b853a1af6a0a60095be2e010048fdbc575ab8e3fa010391bf6f9047ea2a14809
-
SHA512
7599f73090538b47ae0bb85a17096f6591ab720428cbce2746f4f01679e01952749d8ff8f91e1734b53e49eeb3deab86fa445cc4ee145162f508e5222c8d5d09
-
SSDEEP
3072:4rehbc1Oe4J2u4gVjS3cSIBLjJ1MbLrhQXzmZaDj//lAJP9wKaw:42cUe8zVjSvMMbL1af/CJVzaw
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Windows\\SysWOW64\\wsncs.exe" wsncs.exe -
Modifies firewall policy service 3 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wsncs.exe = "C:\\Windows\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wsncs.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wsncs.exe = "C:\\Windows\\SysWOW64\\wsncs.exeC:\\Windows\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wsncs.exe = "C:\\Windows\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wsncs.exe = "C:\\Windows\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exeC:\\WINDOWS\\system32\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\wsncs.exe = "C:\\WINDOWS\\system32\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wsncs.exe = "C:\\Windows\\SysWOW64\\wsncs.exeC:\\Windows\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wsncs.exe = "C:\\Windows\\SysWOW64\\wsncs.exeC:\\Windows\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wsncs.exe = "C:\\Windows\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wsncs.exe = "C:\\Windows\\SysWOW64\\wsncs.exeC:\\Windows\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wsncs.exe = "C:\\Windows\\SysWOW64\\wsncs.exeC:\\Windows\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wsncs.exe = "C:\\Windows\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wsncs.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wsncs.exe -
Deletes itself 1 IoCs
pid Process 2996 wsncs.exe -
Executes dropped EXE 6 IoCs
pid Process 2996 wsncs.exe 1176 wsncs.exe 556 wsncs.exe 2816 wsncs.exe 2024 wsncs.exe 2480 wsncs.exe -
Loads dropped DLL 10 IoCs
pid Process 624 01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe 624 01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe 1176 wsncs.exe 1176 wsncs.exe 2996 wsncs.exe 2996 wsncs.exe 2816 wsncs.exe 2024 wsncs.exe 2024 wsncs.exe 2480 wsncs.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\Windows\\SysWOW64\\wsncs.exe\" *" wsncs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\Windows\\SysWOW64\\wsncs.exe\" *" wsncs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\Windows\\SysWOW64\\wsncs.exe\" *" wsncs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\Windows\\SysWOW64\\wsncs.exe\" *" wsncs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\Windows\\SysWOW64\\wsncs.exe\" *" wsncs.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\wsncs.exe wsncs.exe File opened for modification C:\WINDOWS\SysWOW64\wsncs.exe wsncs.exe File created C:\WINDOWS\SysWOW64\wsncs.exe wsncs.exe File opened for modification C:\WINDOWS\SysWOW64\wsncs.exe wsncs.exe File created C:\WINDOWS\SysWOW64\wsncs.exe wsncs.exe File opened for modification C:\WINDOWS\SysWOW64\wsncs.exe 01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\wsncs.exe wsncs.exe File opened for modification C:\WINDOWS\SysWOW64\wsncs.exe wsncs.exe File created C:\WINDOWS\SysWOW64\wsncs.exe wsncs.exe File opened for modification C:\WINDOWS\SysWOW64\wsncs.exe wsncs.exe File created C:\WINDOWS\SysWOW64\wsncs.exe wsncs.exe File created C:\WINDOWS\SysWOW64\wsncs.exe 01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe -
Modifies data under HKEY_USERS 14 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run wsncs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run wsncs.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\Windows\\SysWOW64\\wsncs.exe\" *" wsncs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer wsncs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run wsncs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer wsncs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run wsncs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer wsncs.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\Windows\\SysWOW64\\wsncs.exe\" *" wsncs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer wsncs.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\Windows\\SysWOW64\\wsncs.exe\" *" wsncs.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\Windows\\SysWOW64\\wsncs.exe\" *" wsncs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run wsncs.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\Windows\\SysWOW64\\wsncs.exe\" *" wsncs.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe 1176 wsncs.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe Token: SeDebugPrivilege 1176 wsncs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 624 wrote to memory of 2996 624 01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe 28 PID 624 wrote to memory of 2996 624 01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe 28 PID 624 wrote to memory of 2996 624 01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe 28 PID 624 wrote to memory of 2996 624 01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe 28 PID 1176 wrote to memory of 1360 1176 wsncs.exe 21 PID 1176 wrote to memory of 432 1176 wsncs.exe 5 PID 1176 wrote to memory of 260 1176 wsncs.exe 1 PID 1176 wrote to memory of 904 1176 wsncs.exe 17 PID 1176 wrote to memory of 496 1176 wsncs.exe 18 PID 1176 wrote to memory of 2996 1176 wsncs.exe 28 PID 1176 wrote to memory of 320 1176 wsncs.exe 25 PID 1176 wrote to memory of 664 1176 wsncs.exe 10 PID 1176 wrote to memory of 492 1176 wsncs.exe 7 PID 1176 wrote to memory of 1184 1176 wsncs.exe 24 PID 1176 wrote to memory of 904 1176 wsncs.exe 17 PID 1176 wrote to memory of 2996 1176 wsncs.exe 28 PID 1176 wrote to memory of 852 1176 wsncs.exe 13 PID 1176 wrote to memory of 336 1176 wsncs.exe 2 PID 1176 wrote to memory of 664 1176 wsncs.exe 10 PID 1176 wrote to memory of 596 1176 wsncs.exe 9 PID 1176 wrote to memory of 904 1176 wsncs.exe 17 PID 1176 wrote to memory of 396 1176 wsncs.exe 4 PID 1176 wrote to memory of 852 1176 wsncs.exe 13 PID 1176 wrote to memory of 432 1176 wsncs.exe 5 PID 1176 wrote to memory of 904 1176 wsncs.exe 17 PID 1176 wrote to memory of 748 1176 wsncs.exe 11 PID 1176 wrote to memory of 476 1176 wsncs.exe 6 PID 1176 wrote to memory of 476 1176 wsncs.exe 6 PID 1176 wrote to memory of 496 1176 wsncs.exe 18 PID 1176 wrote to memory of 396 1176 wsncs.exe 4 PID 1176 wrote to memory of 664 1176 wsncs.exe 10 PID 1176 wrote to memory of 492 1176 wsncs.exe 7 PID 1176 wrote to memory of 852 1176 wsncs.exe 13 PID 1176 wrote to memory of 664 1176 wsncs.exe 10 PID 1176 wrote to memory of 1224 1176 wsncs.exe 19 PID 1176 wrote to memory of 812 1176 wsncs.exe 12 PID 1176 wrote to memory of 384 1176 wsncs.exe 3 PID 1176 wrote to memory of 384 1176 wsncs.exe 3 PID 1176 wrote to memory of 748 1176 wsncs.exe 11 PID 1176 wrote to memory of 596 1176 wsncs.exe 9 PID 1176 wrote to memory of 596 1176 wsncs.exe 9 PID 1176 wrote to memory of 288 1176 wsncs.exe 16 PID 1176 wrote to memory of 852 1176 wsncs.exe 13 PID 1176 wrote to memory of 852 1176 wsncs.exe 13 PID 1176 wrote to memory of 904 1176 wsncs.exe 17 PID 1176 wrote to memory of 988 1176 wsncs.exe 15 PID 1176 wrote to memory of 596 1176 wsncs.exe 9 PID 1176 wrote to memory of 396 1176 wsncs.exe 4 PID 1176 wrote to memory of 476 1176 wsncs.exe 6 PID 1176 wrote to memory of 492 1176 wsncs.exe 7 PID 1176 wrote to memory of 288 1176 wsncs.exe 16 PID 1176 wrote to memory of 432 1176 wsncs.exe 5 PID 1176 wrote to memory of 812 1176 wsncs.exe 12 PID 1176 wrote to memory of 852 1176 wsncs.exe 13 PID 1176 wrote to memory of 2996 1176 wsncs.exe 28 PID 1176 wrote to memory of 476 1176 wsncs.exe 6 PID 1176 wrote to memory of 500 1176 wsncs.exe 8 PID 1176 wrote to memory of 1312 1176 wsncs.exe 20 PID 1176 wrote to memory of 336 1176 wsncs.exe 2 PID 1176 wrote to memory of 492 1176 wsncs.exe 7 PID 2996 wrote to memory of 1360 2996 wsncs.exe 21 PID 2996 wrote to memory of 432 2996 wsncs.exe 5 PID 2996 wrote to memory of 812 2996 wsncs.exe 12 PID 2996 wrote to memory of 492 2996 wsncs.exe 7
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:260
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:596
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:408
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:664
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:748
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:812
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1312
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:852
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:1044
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:988
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:288
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:904
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:496
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1224
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:1184
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:320
-
-
C:\Windows\SysWOW64\wsncs.exeC:\Windows\SysWOW64\wsncs.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176
-
-
C:\Windows\SysWOW64\wsncs.exeC:\Windows\SysWOW64\wsncs.exe3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:556
-
-
C:\Windows\SysWOW64\wsncs.exeC:\Windows\SysWOW64\wsncs.exe3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2816
-
-
C:\Windows\SysWOW64\wsncs.exeC:\Windows\SysWOW64\wsncs.exe3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2024
-
-
C:\Windows\SysWOW64\wsncs.exeC:\Windows\SysWOW64\wsncs.exe3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2480
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:396
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:624 -
C:\WINDOWS\SysWOW64\wsncs.exe"C:\WINDOWS\system32\wsncs.exe" "C:\Users\Admin\AppData\Local\Temp\01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe"3⤵
- Modifies firewall policy service
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD56d301d243e39ad47b102577d4c7c7654
SHA1751d64b54c30ec23e53402899467ce3000017170
SHA256fe8ee7fbc16adfca86a1ac9be0c947a456d4758987276336a84aa5bceca7631f
SHA5120a3dcb9c6dcc3aec4e39196151a7b169f7dd28c5a3b800450de326d110d0df2a441a113373748832881607a26c5f19546ff72be17795d09cd9d274e013332c01
-
Filesize
186KB
MD501edfc8deea1b56fd6930db05a7dd293
SHA1ed9ff4c19d14afbcefacd92005b47f78a279d69d
SHA256b853a1af6a0a60095be2e010048fdbc575ab8e3fa010391bf6f9047ea2a14809
SHA5127599f73090538b47ae0bb85a17096f6591ab720428cbce2746f4f01679e01952749d8ff8f91e1734b53e49eeb3deab86fa445cc4ee145162f508e5222c8d5d09