b853a1af6a0a60095be2e010048fdbc575ab8e3fa010391bf6f9047ea2a14809

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe
Size

186KB
MD5

01edfc8deea1b56fd6930db05a7dd293
SHA1

ed9ff4c19d14afbcefacd92005b47f78a279d69d
SHA256

b853a1af6a0a60095be2e010048fdbc575ab8e3fa010391bf6f9047ea2a14809
SHA512

7599f73090538b47ae0bb85a17096f6591ab720428cbce2746f4f01679e01952749d8ff8f91e1734b53e49eeb3deab86fa445cc4ee145162f508e5222c8d5d09
SSDEEP

3072:4rehbc1Oe4J2u4gVjS3cSIBLjJ1MbLrhQXzmZaDj//lAJP9wKaw:42cUe8zVjSvMMbL1af/CJVzaw

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\SysWOW64\\wsncs.exe,"	wsncs.exe

Modifies firewall policy service 3 TTPs 20 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\wsncs.exe = "C:\\WINDOWS\\system32\\wsncs.exe:*:Enabled:WSCNS"	wsncs.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	wsncs.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exeC:\\WINDOWS\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS"	wsncs.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS"	wsncs.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	wsncs.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	wsncs.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exeC:\\WINDOWS\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS"	wsncs.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS"	wsncs.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	wsncs.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exeC:\\WINDOWS\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS"	wsncs.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exeC:\\WINDOWS\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS"	wsncs.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS"	wsncs.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	wsncs.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exeC:\\WINDOWS\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS"	wsncs.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS"	wsncs.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	wsncs.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exeC:\\WINDOWS\\system32\\wsncs.exe:*:Enabled:WSCNS"	wsncs.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	wsncs.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SysWOW64\wsncs.exe = "C:\\WINDOWS\\SysWOW64\\wsncs.exe:*:Enabled:WSCNS"	wsncs.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	wsncs.exe

Deletes itself 1 IoCs

pid	Process
676	wsncs.exe

Executes dropped EXE 6 IoCs

pid	Process
676	wsncs.exe
2248	wsncs.exe
4308	wsncs.exe
4824	wsncs.exe
1624	wsncs.exe
4480	wsncs.exe

Loads dropped DLL 12 IoCs

pid	Process
2248	wsncs.exe
676	wsncs.exe
676	wsncs.exe
676	wsncs.exe
676	wsncs.exe
676	wsncs.exe
676	wsncs.exe
676	wsncs.exe
1624	wsncs.exe
676	wsncs.exe
676	wsncs.exe
4480	wsncs.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\WINDOWS\\SysWOW64\\wsncs.exe\" *"	wsncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\WINDOWS\\SysWOW64\\wsncs.exe\" *"	wsncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\WINDOWS\\SysWOW64\\wsncs.exe\" *"	wsncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\WINDOWS\\SysWOW64\\wsncs.exe\" *"	wsncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\WINDOWS\\SysWOW64\\wsncs.exe\" *"	wsncs.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\wsncs.exe	wsncs.exe
File opened for modification	C:\WINDOWS\SysWOW64\wsncs.exe	wsncs.exe
File created	C:\WINDOWS\SysWOW64\wsncs.exe	wsncs.exe
File created	C:\WINDOWS\SysWOW64\wsncs.exe	wsncs.exe
File opened for modification	C:\WINDOWS\SysWOW64\wsncs.exe	wsncs.exe
File created	C:\WINDOWS\SysWOW64\wsncs.exe	wsncs.exe
File created	C:\WINDOWS\SysWOW64\wsncs.exe	wsncs.exe
File opened for modification	C:\WINDOWS\SysWOW64\wsncs.exe	01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\wsncs.exe	wsncs.exe
File opened for modification	C:\WINDOWS\SysWOW64\wsncs.exe	wsncs.exe
File opened for modification	C:\WINDOWS\SysWOW64\wsncs.exe	wsncs.exe
File created	C:\WINDOWS\SysWOW64\wsncs.exe	01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	wsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\WINDOWS\\SysWOW64\\wsncs.exe\" *"	wsncs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	wsncs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	wsncs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	wsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\WINDOWS\\SysWOW64\\wsncs.exe\" *"	wsncs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	wsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\WINDOWS\\SysWOW64\\wsncs.exe\" *"	wsncs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	wsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\WINDOWS\\SysWOW64\\wsncs.exe\" *"	wsncs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	wsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\WSCNS = "\"C:\\WINDOWS\\SysWOW64\\wsncs.exe\" *"	wsncs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	wsncs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe
2248	wsncs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe
Token: SeDebugPrivilege	2248	wsncs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 676	3004	01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe	83
PID 3004 wrote to memory of 676	3004	01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe	83
PID 3004 wrote to memory of 676	3004	01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe	83
PID 2248 wrote to memory of 3444	2248	wsncs.exe	56
PID 2248 wrote to memory of 636	2248	wsncs.exe	5
PID 2248 wrote to memory of 2936	2248	wsncs.exe	49
PID 2248 wrote to memory of 1768	2248	wsncs.exe	31
PID 2248 wrote to memory of 3992	2248	wsncs.exe	74
PID 2248 wrote to memory of 3832	2248	wsncs.exe	59
PID 2248 wrote to memory of 3464	2248	wsncs.exe	85
PID 2248 wrote to memory of 1848	2248	wsncs.exe	32
PID 2248 wrote to memory of 1448	2248	wsncs.exe	25
PID 2248 wrote to memory of 4840	2248	wsncs.exe	93
PID 2248 wrote to memory of 1128	2248	wsncs.exe	17
PID 2248 wrote to memory of 1848	2248	wsncs.exe	32
PID 2248 wrote to memory of 1280	2248	wsncs.exe	21
PID 2248 wrote to memory of 976	2248	wsncs.exe	12
PID 2248 wrote to memory of 4976	2248	wsncs.exe	70
PID 2248 wrote to memory of 3276	2248	wsncs.exe	88
PID 2248 wrote to memory of 3568	2248	wsncs.exe	57
PID 2248 wrote to memory of 2840	2248	wsncs.exe	52
PID 2248 wrote to memory of 3156	2248	wsncs.exe	53
PID 2248 wrote to memory of 1228	2248	wsncs.exe	69
PID 2248 wrote to memory of 2232	2248	wsncs.exe	40
PID 2248 wrote to memory of 4052	2248	wsncs.exe	66
PID 2248 wrote to memory of 2588	2248	wsncs.exe	44
PID 2248 wrote to memory of 3832	2248	wsncs.exe	59
PID 2248 wrote to memory of 3156	2248	wsncs.exe	53
PID 2248 wrote to memory of 2656	2248	wsncs.exe	45
PID 2248 wrote to memory of 1016	2248	wsncs.exe	15
PID 2248 wrote to memory of 4840	2248	wsncs.exe	93
PID 2248 wrote to memory of 1296	2248	wsncs.exe	22
PID 2248 wrote to memory of 2232	2248	wsncs.exe	40
PID 2248 wrote to memory of 3716	2248	wsncs.exe	80
PID 2248 wrote to memory of 1448	2248	wsncs.exe	25
PID 2248 wrote to memory of 4840	2248	wsncs.exe	93
PID 2248 wrote to memory of 4032	2248	wsncs.exe	61
PID 2248 wrote to memory of 4456	2248	wsncs.exe	68
PID 2248 wrote to memory of 2936	2248	wsncs.exe	49
PID 2248 wrote to memory of 2448	2248	wsncs.exe	43
PID 2248 wrote to memory of 3832	2248	wsncs.exe	59
PID 2248 wrote to memory of 804	2248	wsncs.exe	9
PID 2248 wrote to memory of 816	2248	wsncs.exe	10
PID 2248 wrote to memory of 688	2248	wsncs.exe	7
PID 2248 wrote to memory of 1228	2248	wsncs.exe	69
PID 2248 wrote to memory of 3568	2248	wsncs.exe	57
PID 2248 wrote to memory of 1140	2248	wsncs.exe	18
PID 2248 wrote to memory of 4052	2248	wsncs.exe	66
PID 2248 wrote to memory of 1392	2248	wsncs.exe	24
PID 2248 wrote to memory of 2232	2248	wsncs.exe	40
PID 2248 wrote to memory of 1448	2248	wsncs.exe	25
PID 2248 wrote to memory of 1588	2248	wsncs.exe	26
PID 2248 wrote to memory of 1712	2248	wsncs.exe	29
PID 2248 wrote to memory of 2072	2248	wsncs.exe	75
PID 2248 wrote to memory of 800	2248	wsncs.exe	8
PID 2248 wrote to memory of 804	2248	wsncs.exe	9
PID 2248 wrote to memory of 800	2248	wsncs.exe	8
PID 2248 wrote to memory of 1148	2248	wsncs.exe	19
PID 2248 wrote to memory of 3992	2248	wsncs.exe	74
PID 2248 wrote to memory of 2936	2248	wsncs.exe	49
PID 2248 wrote to memory of 1128	2248	wsncs.exe	17
PID 2248 wrote to memory of 4536	2248	wsncs.exe	91
PID 2248 wrote to memory of 212	2248	wsncs.exe	86
PID 2248 wrote to memory of 4840	2248	wsncs.exe	93

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:636
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:804
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:404

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:816
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:2936
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3740
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3832
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3912
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4032
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3592
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4976
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4104
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:3992
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2072
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:3716
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3464
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:212
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:4536
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:2996
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1180
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1448
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1788

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2588

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3356

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3444
- C:\Users\Admin\AppData\Local\Temp\01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\WINDOWS\SysWOW64\wsncs.exe
    "C:\WINDOWS\system32\wsncs.exe" "C:\Users\Admin\AppData\Local\Temp\01edfc8deea1b56fd6930db05a7dd293_JaffaCakes118.exe"
    3⤵
    - Modifies firewall policy service
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4456

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2348

C:\WINDOWS\SysWOW64\wsncs.exe
C:\WINDOWS\SysWOW64\wsncs.exe
1⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 90f27b22a3eeb032916ef1d76834714f Zxlhw4czsE2Z7AQJdG56DA.0.1.0.0.0
1⤵
PID:3276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1560

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4840

C:\WINDOWS\SysWOW64\wsncs.exe
C:\WINDOWS\SysWOW64\wsncs.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4308

C:\WINDOWS\SysWOW64\wsncs.exe
C:\WINDOWS\SysWOW64\wsncs.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4824

C:\WINDOWS\SysWOW64\wsncs.exe
C:\WINDOWS\SysWOW64\wsncs.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1624

C:\WINDOWS\SysWOW64\wsncs.exe
C:\WINDOWS\SysWOW64\wsncs.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wsncs.exe

Filesize
186KB

MD5
01edfc8deea1b56fd6930db05a7dd293

SHA1
ed9ff4c19d14afbcefacd92005b47f78a279d69d

SHA256
b853a1af6a0a60095be2e010048fdbc575ab8e3fa010391bf6f9047ea2a14809

SHA512
7599f73090538b47ae0bb85a17096f6591ab720428cbce2746f4f01679e01952749d8ff8f91e1734b53e49eeb3deab86fa445cc4ee145162f508e5222c8d5d09

Download Submit
C:\Windows\Temp\WSCNS_000.tmp

Filesize
87KB

MD5
6d301d243e39ad47b102577d4c7c7654

SHA1
751d64b54c30ec23e53402899467ce3000017170

SHA256
fe8ee7fbc16adfca86a1ac9be0c947a456d4758987276336a84aa5bceca7631f

SHA512
0a3dcb9c6dcc3aec4e39196151a7b169f7dd28c5a3b800450de326d110d0df2a441a113373748832881607a26c5f19546ff72be17795d09cd9d274e013332c01

Download Submit
memory/676-143-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/676-125-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/676-10-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/676-231-0x000000000C9E0000-0x000000000CA28000-memory.dmp

Filesize
288KB

Download
memory/676-154-0x0000000000880000-0x00000000008C8000-memory.dmp

Filesize
288KB

Download
memory/676-147-0x0000000000880000-0x00000000008C8000-memory.dmp

Filesize
288KB

Download
memory/676-14-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/676-148-0x0000000000880000-0x00000000008C8000-memory.dmp

Filesize
288KB

Download
memory/676-136-0x0000000007F90000-0x0000000007FD8000-memory.dmp

Filesize
288KB

Download
memory/676-130-0x0000000007F90000-0x0000000007FD8000-memory.dmp

Filesize
288KB

Download
memory/676-195-0x000000000C9E0000-0x000000000CA28000-memory.dmp

Filesize
288KB

Download
memory/676-131-0x0000000007F90000-0x0000000007FD8000-memory.dmp

Filesize
288KB

Download
memory/676-102-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/676-99-0x00000000058F0000-0x0000000005938000-memory.dmp

Filesize
288KB

Download
memory/676-55-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/676-70-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/676-76-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/676-77-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/676-87-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/676-95-0x00000000058F0000-0x0000000005938000-memory.dmp

Filesize
288KB

Download
memory/676-97-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/676-94-0x00000000058F0000-0x0000000005938000-memory.dmp

Filesize
288KB

Download
memory/676-194-0x000000000C9E0000-0x000000000CA28000-memory.dmp

Filesize
288KB

Download
memory/1624-173-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1624-179-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/1624-177-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1624-205-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2248-54-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2248-39-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2248-36-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2248-32-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2248-30-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2248-29-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2248-12-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2248-13-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3004-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3004-0-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3004-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3004-8-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4308-91-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4480-230-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4824-155-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4824-137-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4824-129-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download