Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 02:08
Static task
static1
Behavioral task
behavioral1
Sample
01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe
-
Size
186KB
-
MD5
01edfc8deea1b56fd6930db05a7dd293
-
SHA1
ed9ff4c19d14afbcefacd92005b47f78a279d69d
-
SHA256
b853a1af6a0a60095be2e010048fdbc575ab8e3fa010391bf6f9047ea2a14809
-
SHA512
7599f73090538b47ae0bb85a17096f6591ab720428cbce2746f4f01679e01952749d8ff8f91e1734b53e49eeb3deab86fa445cc4ee145162f508e5222c8d5d09
-
SSDEEP
3072:4rehbc1Oe4J2u4gVjS3cSIBLjJ1MbLrhQXzmZaDj//lAJP9wKaw:42cUe8zVjSvMMbL1af/CJVzaw
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\SysWOW64\\wsncs.exe," wsncs.exe -
Modifies firewall policy service 3 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\wsncs.exe = "C:\\WINDOWS\\system32\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exeC:\\WINDOWS\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wsncs.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exeC:\\WINDOWS\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exeC:\\WINDOWS\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exeC:\\WINDOWS\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exeC:\\WINDOWS\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exeC:\\WINDOWS\\system32\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wsncs.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS" wsncs.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wsncs.exe -
Deletes itself 1 IoCs
pid Process 676 wsncs.exe -
Executes dropped EXE 6 IoCs
pid Process 676 wsncs.exe 2248 wsncs.exe 4308 wsncs.exe 4824 wsncs.exe 1624 wsncs.exe 4480 wsncs.exe -
Loads dropped DLL 12 IoCs
pid Process 2248 wsncs.exe 676 wsncs.exe 676 wsncs.exe 676 wsncs.exe 676 wsncs.exe 676 wsncs.exe 676 wsncs.exe 676 wsncs.exe 1624 wsncs.exe 676 wsncs.exe 676 wsncs.exe 4480 wsncs.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\WINDOWS\\SysWOW64\\wsncs.exe\" *" wsncs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\WINDOWS\\SysWOW64\\wsncs.exe\" *" wsncs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\WINDOWS\\SysWOW64\\wsncs.exe\" *" wsncs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\WINDOWS\\SysWOW64\\wsncs.exe\" *" wsncs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\WINDOWS\\SysWOW64\\wsncs.exe\" *" wsncs.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\WINDOWS\SysWOW64\wsncs.exe wsncs.exe File opened for modification C:\WINDOWS\SysWOW64\wsncs.exe wsncs.exe File created C:\WINDOWS\SysWOW64\wsncs.exe wsncs.exe File created C:\WINDOWS\SysWOW64\wsncs.exe wsncs.exe File opened for modification C:\WINDOWS\SysWOW64\wsncs.exe wsncs.exe File created C:\WINDOWS\SysWOW64\wsncs.exe wsncs.exe File created C:\WINDOWS\SysWOW64\wsncs.exe wsncs.exe File opened for modification C:\WINDOWS\SysWOW64\wsncs.exe 01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe File opened for modification C:\WINDOWS\SysWOW64\wsncs.exe wsncs.exe File opened for modification C:\WINDOWS\SysWOW64\wsncs.exe wsncs.exe File opened for modification C:\WINDOWS\SysWOW64\wsncs.exe wsncs.exe File created C:\WINDOWS\SysWOW64\wsncs.exe 01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe -
Modifies data under HKEY_USERS 13 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer wsncs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\WINDOWS\\SysWOW64\\wsncs.exe\" *" wsncs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer wsncs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run wsncs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run wsncs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\WINDOWS\\SysWOW64\\wsncs.exe\" *" wsncs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run wsncs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\WINDOWS\\SysWOW64\\wsncs.exe\" *" wsncs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run wsncs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\WINDOWS\\SysWOW64\\wsncs.exe\" *" wsncs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer wsncs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\WINDOWS\\SysWOW64\\wsncs.exe\" *" wsncs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run wsncs.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe 2248 wsncs.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe Token: SeDebugPrivilege 2248 wsncs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3004 wrote to memory of 676 3004 01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe 83 PID 3004 wrote to memory of 676 3004 01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe 83 PID 3004 wrote to memory of 676 3004 01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe 83 PID 2248 wrote to memory of 3444 2248 wsncs.exe 56 PID 2248 wrote to memory of 636 2248 wsncs.exe 5 PID 2248 wrote to memory of 2936 2248 wsncs.exe 49 PID 2248 wrote to memory of 1768 2248 wsncs.exe 31 PID 2248 wrote to memory of 3992 2248 wsncs.exe 74 PID 2248 wrote to memory of 3832 2248 wsncs.exe 59 PID 2248 wrote to memory of 3464 2248 wsncs.exe 85 PID 2248 wrote to memory of 1848 2248 wsncs.exe 32 PID 2248 wrote to memory of 1448 2248 wsncs.exe 25 PID 2248 wrote to memory of 4840 2248 wsncs.exe 93 PID 2248 wrote to memory of 1128 2248 wsncs.exe 17 PID 2248 wrote to memory of 1848 2248 wsncs.exe 32 PID 2248 wrote to memory of 1280 2248 wsncs.exe 21 PID 2248 wrote to memory of 976 2248 wsncs.exe 12 PID 2248 wrote to memory of 4976 2248 wsncs.exe 70 PID 2248 wrote to memory of 3276 2248 wsncs.exe 88 PID 2248 wrote to memory of 3568 2248 wsncs.exe 57 PID 2248 wrote to memory of 2840 2248 wsncs.exe 52 PID 2248 wrote to memory of 3156 2248 wsncs.exe 53 PID 2248 wrote to memory of 1228 2248 wsncs.exe 69 PID 2248 wrote to memory of 2232 2248 wsncs.exe 40 PID 2248 wrote to memory of 4052 2248 wsncs.exe 66 PID 2248 wrote to memory of 2588 2248 wsncs.exe 44 PID 2248 wrote to memory of 3832 2248 wsncs.exe 59 PID 2248 wrote to memory of 3156 2248 wsncs.exe 53 PID 2248 wrote to memory of 2656 2248 wsncs.exe 45 PID 2248 wrote to memory of 1016 2248 wsncs.exe 15 PID 2248 wrote to memory of 4840 2248 wsncs.exe 93 PID 2248 wrote to memory of 1296 2248 wsncs.exe 22 PID 2248 wrote to memory of 2232 2248 wsncs.exe 40 PID 2248 wrote to memory of 3716 2248 wsncs.exe 80 PID 2248 wrote to memory of 1448 2248 wsncs.exe 25 PID 2248 wrote to memory of 4840 2248 wsncs.exe 93 PID 2248 wrote to memory of 4032 2248 wsncs.exe 61 PID 2248 wrote to memory of 4456 2248 wsncs.exe 68 PID 2248 wrote to memory of 2936 2248 wsncs.exe 49 PID 2248 wrote to memory of 2448 2248 wsncs.exe 43 PID 2248 wrote to memory of 3832 2248 wsncs.exe 59 PID 2248 wrote to memory of 804 2248 wsncs.exe 9 PID 2248 wrote to memory of 816 2248 wsncs.exe 10 PID 2248 wrote to memory of 688 2248 wsncs.exe 7 PID 2248 wrote to memory of 1228 2248 wsncs.exe 69 PID 2248 wrote to memory of 3568 2248 wsncs.exe 57 PID 2248 wrote to memory of 1140 2248 wsncs.exe 18 PID 2248 wrote to memory of 4052 2248 wsncs.exe 66 PID 2248 wrote to memory of 1392 2248 wsncs.exe 24 PID 2248 wrote to memory of 2232 2248 wsncs.exe 40 PID 2248 wrote to memory of 1448 2248 wsncs.exe 25 PID 2248 wrote to memory of 1588 2248 wsncs.exe 26 PID 2248 wrote to memory of 1712 2248 wsncs.exe 29 PID 2248 wrote to memory of 2072 2248 wsncs.exe 75 PID 2248 wrote to memory of 800 2248 wsncs.exe 8 PID 2248 wrote to memory of 804 2248 wsncs.exe 9 PID 2248 wrote to memory of 800 2248 wsncs.exe 8 PID 2248 wrote to memory of 1148 2248 wsncs.exe 19 PID 2248 wrote to memory of 3992 2248 wsncs.exe 74 PID 2248 wrote to memory of 2936 2248 wsncs.exe 49 PID 2248 wrote to memory of 1128 2248 wsncs.exe 17 PID 2248 wrote to memory of 4536 2248 wsncs.exe 91 PID 2248 wrote to memory of 212 2248 wsncs.exe 86 PID 2248 wrote to memory of 4840 2248 wsncs.exe 93
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:636
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:804
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:404
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:688
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:816
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵PID:2936
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3740
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵PID:3832
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3912
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵PID:4032
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3592
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵PID:4976
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:4104
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵PID:3992
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:2072
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca2⤵PID:3716
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3464
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:212
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵PID:4536
-
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding2⤵PID:2996
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding2⤵PID:704
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:976
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:416
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1128
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1140
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1148
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1180
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2840
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1348
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1448
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:3032
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1588
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1604
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1712
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1768
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1984
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2004
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1492
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:1788
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2104
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2164
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2232
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2388
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2588
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2656
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2664
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2724
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3156
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3356
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\WINDOWS\SysWOW64\wsncs.exe"C:\WINDOWS\system32\wsncs.exe" "C:\Users\Admin\AppData\Local\Temp\01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe"3⤵
- Modifies firewall policy service
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
PID:676
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:2068
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:4456
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:1228
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4488
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:2348
-
C:\WINDOWS\SysWOW64\wsncs.exeC:\WINDOWS\SysWOW64\wsncs.exe1⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 90f27b22a3eeb032916ef1d76834714f Zxlhw4czsE2Z7AQJdG56DA.0.1.0.0.01⤵PID:3276
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:1560
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:1120
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:4840
-
C:\WINDOWS\SysWOW64\wsncs.exeC:\WINDOWS\SysWOW64\wsncs.exe1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4308
-
C:\WINDOWS\SysWOW64\wsncs.exeC:\WINDOWS\SysWOW64\wsncs.exe1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4824
-
C:\WINDOWS\SysWOW64\wsncs.exeC:\WINDOWS\SysWOW64\wsncs.exe1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1624
-
C:\WINDOWS\SysWOW64\wsncs.exeC:\WINDOWS\SysWOW64\wsncs.exe1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4480
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
186KB
MD501edfc8deea1b56fd6930db05a7dd293
SHA1ed9ff4c19d14afbcefacd92005b47f78a279d69d
SHA256b853a1af6a0a60095be2e010048fdbc575ab8e3fa010391bf6f9047ea2a14809
SHA5127599f73090538b47ae0bb85a17096f6591ab720428cbce2746f4f01679e01952749d8ff8f91e1734b53e49eeb3deab86fa445cc4ee145162f508e5222c8d5d09
-
Filesize
87KB
MD56d301d243e39ad47b102577d4c7c7654
SHA1751d64b54c30ec23e53402899467ce3000017170
SHA256fe8ee7fbc16adfca86a1ac9be0c947a456d4758987276336a84aa5bceca7631f
SHA5120a3dcb9c6dcc3aec4e39196151a7b169f7dd28c5a3b800450de326d110d0df2a441a113373748832881607a26c5f19546ff72be17795d09cd9d274e013332c01