Malware Analysis Report

2025-01-03 09:25

Sample ID 240620-nw1agszdlr
Target 05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118
SHA256 58f03772054f76078e4338edcf2e43e36302243832565dfb5736df41603438fa
Tags
bootkit persistence upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

58f03772054f76078e4338edcf2e43e36302243832565dfb5736df41603438fa

Threat Level: Likely malicious

The file 05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence upx

Event Triggered Execution: Image File Execution Options Injection

Loads dropped DLL

Executes dropped EXE

UPX packed file

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Runs .reg file with regedit

Runs net.exe

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 11:45

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 11:45

Reported

2024-06-20 11:48

Platform

win7-20240611-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe"

Signatures

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICSSUPPNT.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VET95.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSECOMR.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet32.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EFINET32.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICSSUPPNT.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lamapp.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smtpsvc.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vshwin32.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BLACKD.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTI-TROJAN.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anti.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGCTRL.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVW32.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEANER3.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\debu.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICSSUPPNT.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFIADMIN.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NORMIST.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TDS2-NT.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCHED32.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\norton.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPCC.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DVP95.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IBMAVSP.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TDS2-98.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WEBSCAN.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcciomon.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccwin98.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scam32.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LUCOMSERVER.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp32.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mon.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWIN95.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mon.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\moniker.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WEBSCAN.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atrack.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpdos32.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BLACKICE.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVW.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivir.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TCA.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\APVXDWIN.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfw.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UlibCfg.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ESAFE.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-STOPW.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICLOADNT.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CnxDslTaskBar = "D:\\WINDOWS\\system32\\smsss.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StormCodec_Helper = "D:\\WINDOWS\\system32\\sanjipian.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StormCodec_Helper = "C:\\Windows\\system32\\sanjipian.exe" C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CnxDslTaskBar = "C:\\Windows\\system32\\smsss.exe" C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CnxDslTaskBar = "D:\\WINDOWS\\system32\\smsss.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StormCodec_Helper = "D:\\WINDOWS\\system32\\sanjipian.exe" C:\Windows\SysWOW64\regedit.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\smsss.exe C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sanjipian.exe C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\sanjipian.exe C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.reg C:\Windows\SysWOW64\smsss.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2296 set thread context of 2664 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\smsss.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\smsss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smsss.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\smsss.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\smsss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\smsss.exe
PID 2296 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\smsss.exe
PID 2296 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\smsss.exe
PID 2296 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\smsss.exe
PID 1600 wrote to memory of 3012 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\regedit.exe
PID 1600 wrote to memory of 3012 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\regedit.exe
PID 1600 wrote to memory of 3012 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\regedit.exe
PID 1600 wrote to memory of 3012 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\regedit.exe
PID 2296 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2296 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2296 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2296 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2296 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2296 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2296 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2296 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1600 wrote to memory of 2696 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 1600 wrote to memory of 2696 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 1600 wrote to memory of 2696 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 1600 wrote to memory of 2696 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 2696 wrote to memory of 2824 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2696 wrote to memory of 2824 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2696 wrote to memory of 2824 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2696 wrote to memory of 2824 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1600 wrote to memory of 2788 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 1600 wrote to memory of 2788 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 1600 wrote to memory of 2788 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 1600 wrote to memory of 2788 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 2788 wrote to memory of 2564 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2788 wrote to memory of 2564 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2788 wrote to memory of 2564 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2788 wrote to memory of 2564 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1600 wrote to memory of 2444 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\regedit.exe
PID 1600 wrote to memory of 2444 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\regedit.exe
PID 1600 wrote to memory of 2444 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\regedit.exe
PID 1600 wrote to memory of 2444 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\regedit.exe
PID 1600 wrote to memory of 2700 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 1600 wrote to memory of 2700 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 1600 wrote to memory of 2700 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 1600 wrote to memory of 2700 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 2700 wrote to memory of 2584 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2700 wrote to memory of 2584 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2700 wrote to memory of 2584 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2700 wrote to memory of 2584 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1600 wrote to memory of 2592 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 1600 wrote to memory of 2592 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 1600 wrote to memory of 2592 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 1600 wrote to memory of 2592 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 2592 wrote to memory of 2556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2592 wrote to memory of 2556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2592 wrote to memory of 2556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2592 wrote to memory of 2556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe"

C:\Windows\SysWOW64\smsss.exe

C:\Windows\system32\smsss.exe

C:\Windows\SysWOW64\regedit.exe

regedit.exe -s C:\Windows\system32\regedit.reg

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe fuck

C:\Windows\SysWOW64\net.exe

net stop sharedaccess

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop sharedaccess

C:\Windows\SysWOW64\net.exe

net stop sharedaccess

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop sharedaccess

C:\Windows\SysWOW64\regedit.exe

regedit.exe -s C:\Windows\system32\regedit.reg

C:\Windows\SysWOW64\net.exe

net stop sharedaccess

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop sharedaccess

C:\Windows\SysWOW64\net.exe

net stop sharedaccess

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop sharedaccess

Network

N/A

Files

memory/2296-0-0x0000000000400000-0x0000000000417000-memory.dmp

\Windows\SysWOW64\smsss.exe

MD5 4932a939e50e031d49b427264222eacc
SHA1 62f3f6fdcfe41c269da2025824678cb25f50aa15
SHA256 a1b34f205bd154661a1374a34ae7249d76810b791d854f1980818bedd0910a38
SHA512 6b672fa2067af5acf1f691e1db2cebdd284391901460c502bccd85d3d290e4070be56fc626291b37946144f544b03cb36afcf058bd858a7359275dab068fcf56

memory/2296-7-0x00000000001D0000-0x00000000001EA000-memory.dmp

memory/1600-15-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2296-14-0x00000000001D0000-0x00000000001EA000-memory.dmp

C:\Windows\SysWOW64\regedit.reg

MD5 f5fa0c3205a79aec2dcfaa80819a44b7
SHA1 0b5b614012b9c4909e70620c9de211ed854f6608
SHA256 443d9a3a424f3bb9ca521d999e0271b71f6ac35b9b7ce86e4a97bc9b87b0d569
SHA512 e0ad10a923fa52715643a37ca65f7dc9356ba097272adc345b0b3d579ba2adc1c2af1a9434cfe3fe5d944ae875fa6a56af39db062a5e24f5abc764bfc39a571b

memory/2664-22-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2664-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2296-33-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2664-28-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2664-25-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2664-20-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1600-34-0x0000000000400000-0x000000000041A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 11:45

Reported

2024-06-20 11:48

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe"

Signatures

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLAW95CT.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEANER.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NVC95.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NVC95.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vshwin32.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPTC32.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atrack.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFIADMIN.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path\Debugger = "ntsd -d" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webtrap.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapw32.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\norton.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccwin98.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TBSCAN.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANPM.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSECOMR.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICLOADNT.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSSCAN40\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisum.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMC.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmproxy.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPCC.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ESAFE.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IAMAPP.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisserv.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmproxy.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxonsol.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVW32.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccwin98.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UlibCfg.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\moniker.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\office.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LUCOMSERVER.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcafee.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7win.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secu.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vir.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown2000.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANPM.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mon.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TCA.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BLACKD.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEANER.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MOOLIVE.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFIND.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVPreScan.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secu.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANPM.exe C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WFINDV32.exe C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeweb.exe\Debugger = "svchost.exe" C:\Windows\SysWOW64\regedit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CnxDslTaskBar = "D:\\WINDOWS\\system32\\smsss.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StormCodec_Helper = "D:\\WINDOWS\\system32\\sanjipian.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StormCodec_Helper = "C:\\Windows\\system32\\sanjipian.exe" C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CnxDslTaskBar = "C:\\Windows\\system32\\smsss.exe" C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CnxDslTaskBar = "D:\\WINDOWS\\system32\\smsss.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StormCodec_Helper = "D:\\WINDOWS\\system32\\sanjipian.exe" C:\Windows\SysWOW64\regedit.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\regedit.reg C:\Windows\SysWOW64\smsss.exe N/A
File opened for modification C:\Windows\SysWOW64\smsss.exe C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sanjipian.exe C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\sanjipian.exe C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2492 set thread context of 4756 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A
N/A N/A C:\Windows\SysWOW64\smsss.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\smsss.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\smsss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smsss.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\smsss.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\smsss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\smsss.exe
PID 2492 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\smsss.exe
PID 2492 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\smsss.exe
PID 3872 wrote to memory of 2500 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\regedit.exe
PID 3872 wrote to memory of 2500 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\regedit.exe
PID 3872 wrote to memory of 2500 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\regedit.exe
PID 2492 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2492 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2492 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2492 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2492 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2492 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2492 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2492 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 3872 wrote to memory of 3348 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 3872 wrote to memory of 3348 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 3872 wrote to memory of 3348 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 3348 wrote to memory of 2364 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3348 wrote to memory of 2364 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3348 wrote to memory of 2364 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3872 wrote to memory of 2604 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 3872 wrote to memory of 2604 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 3872 wrote to memory of 2604 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 2604 wrote to memory of 2600 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2604 wrote to memory of 2600 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2604 wrote to memory of 2600 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3872 wrote to memory of 2720 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\regedit.exe
PID 3872 wrote to memory of 2720 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\regedit.exe
PID 3872 wrote to memory of 2720 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\regedit.exe
PID 3872 wrote to memory of 2212 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 3872 wrote to memory of 2212 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 3872 wrote to memory of 2212 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 2212 wrote to memory of 1656 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2212 wrote to memory of 1656 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2212 wrote to memory of 1656 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3872 wrote to memory of 1620 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 3872 wrote to memory of 1620 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 3872 wrote to memory of 1620 N/A C:\Windows\SysWOW64\smsss.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 3340 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1620 wrote to memory of 3340 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1620 wrote to memory of 3340 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\05b02a023bdb0e2a9d113f7dd70e1f73_JaffaCakes118.exe"

C:\Windows\SysWOW64\smsss.exe

C:\Windows\system32\smsss.exe

C:\Windows\SysWOW64\regedit.exe

regedit.exe -s C:\Windows\system32\regedit.reg

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe fuck

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4756 -ip 4756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 12

C:\Windows\SysWOW64\net.exe

net stop sharedaccess

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop sharedaccess

C:\Windows\SysWOW64\net.exe

net stop sharedaccess

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop sharedaccess

C:\Windows\SysWOW64\regedit.exe

regedit.exe -s C:\Windows\system32\regedit.reg

C:\Windows\SysWOW64\net.exe

net stop sharedaccess

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop sharedaccess

C:\Windows\SysWOW64\net.exe

net stop sharedaccess

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop sharedaccess

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2492-0-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\smsss.exe

MD5 4932a939e50e031d49b427264222eacc
SHA1 62f3f6fdcfe41c269da2025824678cb25f50aa15
SHA256 a1b34f205bd154661a1374a34ae7249d76810b791d854f1980818bedd0910a38
SHA512 6b672fa2067af5acf1f691e1db2cebdd284391901460c502bccd85d3d290e4070be56fc626291b37946144f544b03cb36afcf058bd858a7359275dab068fcf56

memory/3872-9-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Windows\SysWOW64\regedit.reg

MD5 f5fa0c3205a79aec2dcfaa80819a44b7
SHA1 0b5b614012b9c4909e70620c9de211ed854f6608
SHA256 443d9a3a424f3bb9ca521d999e0271b71f6ac35b9b7ce86e4a97bc9b87b0d569
SHA512 e0ad10a923fa52715643a37ca65f7dc9356ba097272adc345b0b3d579ba2adc1c2af1a9434cfe3fe5d944ae875fa6a56af39db062a5e24f5abc764bfc39a571b

memory/4756-15-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4756-14-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4756-16-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2492-19-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3872-20-0x0000000000400000-0x000000000041A000-memory.dmp