eda59f4181b638df6cc16b7267535e70a54699c3a53101d07c0287662f83d546

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
Size

256KB
MD5

074ded651094fe1545d996add8e3df36
SHA1

9960378b363b6ff89d40a790e9cfe3f59c4004f8
SHA256

eda59f4181b638df6cc16b7267535e70a54699c3a53101d07c0287662f83d546
SHA512

13e15ee436e21ba7f5b4d3d90ce8f326d0926004d6f9e49ce827aae939a1e3c335a67709b6ca0b3a741268f935a7a36d52271077755022f3346972824f6ed56e
SSDEEP

3072:Xo8L5tpV+CSA1AAPoCpxW5ATBfUNjpS1svkTVC9FieYTTLprx/m3qT4S826guKqr:ptpvoCpcNQ1jQdi

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	system.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 48 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe	system.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Global.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
224	Global.exe
4100	svchost.exe
5104	system.exe

Modifies system executable filetype association 2 TTPs 6 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	Global.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	Global.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	system.exe

Drops autorun.inf file 1 TTPs 11 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	system.exe
File opened for modification	D:\autorun.inf	Global.exe
File opened for modification	F:\autorun.inf	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File opened for modification	C:\autorun.inf	Global.exe
File created	C:\autorun.inf	Global.exe
File created	D:\autorun.inf	Global.exe
File created	F:\autorun.inf	Global.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E)\svchost.exe	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Default.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Default.exe	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Default.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Global.exe	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Default.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Global.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Global.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E)\Global.exe	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	system.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Global.exe	system.exe

Drops file in Windows directory 38 IoCs

description	ioc	Process
File created	C:\WINDOWS\Fonts\tskmgr.exe	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File created	C:\WINDOWS\Media\rndll32.pif	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\Help\microsoft.hlp	Global.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	svchost.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	system.exe
File opened for modification	C:\WINDOWS\Fonts\wav.wav	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File created	C:\WINDOWS\pchealth\Global.exe	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File created	C:\WINDOWS\system\KEYBOARD.exe	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File created	C:\WINDOWS\Media\rndll32.pif	system.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	system.exe
File created	C:\WINDOWS\pchealth\Global.exe	svchost.exe
File created	C:\WINDOWS\system\KEYBOARD.exe	svchost.exe
File opened for modification	C:\WINDOWS\Media\rndll32.pif	Global.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	Global.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	Global.exe
File created	C:\WINDOWS\pchealth\Global.exe	system.exe
File created	C:\WINDOWS\Help\microsoft.hlp	system.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	system.exe
File opened for modification	C:\WINDOWS\system\KEYBOARD.exe	Global.exe
File created	C:\WINDOWS\Help\microsoft.hlp	svchost.exe
File created	C:\WINDOWS\Fonts\Fonts.exe	system.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	Global.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	svchost.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	svchost.exe
File created	C:\WINDOWS\Fonts\Fonts.exe	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File created	C:\WINDOWS\Help\microsoft.hlp	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File created	C:\WINDOWS\Fonts\tskmgr.exe	svchost.exe
File created	C:\WINDOWS\Fonts\tskmgr.exe	system.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\Fonts\Fonts.exe	Global.exe
File created	C:\WINDOWS\Media\rndll32.pif	svchost.exe
File created	C:\WINDOWS\system\KEYBOARD.exe	system.exe
File created	C:\WINDOWS\pchealth\Global.exe	Global.exe
File opened for modification	C:\WINDOWS\Fonts\tskmgr.exe	Global.exe
File created	C:\WINDOWS\Fonts\Fonts.exe	svchost.exe
File created	C:\WINDOWS\Fonts\wav.wav	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 12 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	Global.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\AutoEndTasks = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\AutoEndTasks = "1"	system.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop	Global.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	Global.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\AutoEndTasks = "1"	Global.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	svchost.exe

Modifies registry class 35 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	system.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1704	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
224	Global.exe
4100	svchost.exe
5104	system.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 224	1704	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe	85
PID 1704 wrote to memory of 224	1704	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe	85
PID 1704 wrote to memory of 224	1704	074ded651094fe1545d996add8e3df36_JaffaCakes118.exe	85
PID 224 wrote to memory of 4100	224	Global.exe	89
PID 224 wrote to memory of 4100	224	Global.exe	89
PID 224 wrote to memory of 4100	224	Global.exe	89
PID 4100 wrote to memory of 5104	4100	svchost.exe	92
PID 4100 wrote to memory of 5104	4100	svchost.exe	92
PID 4100 wrote to memory of 5104	4100	svchost.exe	92

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Global.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	system.exe

C:\Users\Admin\AppData\Local\Temp\074ded651094fe1545d996add8e3df36_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\074ded651094fe1545d996add8e3df36_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704
- C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
  "C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:224
- - C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
    "C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe"
    3⤵
    - Adds policy Run key to start application
    - Drops file in Drivers directory
    - Event Triggered Execution: Image File Execution Options Injection
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4100
  - - C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
      "C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
      4⤵
      Adds policy Run key to start application
      Drops file in Drivers directory
      Event Triggered Execution: Image File Execution Options Injection
      Executes dropped EXE
      Modifies system executable filetype association
      Adds Run key to start application
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Control Panel
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:5104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\Cursors\Boom.vbs

Filesize
4KB

MD5
e72c9789ac7232e3b36766eb2a8f8da6

SHA1
a37a9f18e227d103bb4e1ecac0834c2cdf99d112

SHA256
7b03603cbc56105470b4bfb250d0ef18fa93126475e2872d63dc52c35866d2a9

SHA512
666a2592c5303a1f42a8bbddc2a8e5d3289c612be7401e3530a3afd70d8243276645bad00a82f3254674307583dabae49c16204e790200a34b0707813265f6d0

Download Submit
C:\WINDOWS\SysWOW64\dllcache\autorun.inf

Filesize
118B

MD5
4eb846be89a1520b7d0181f0736f9a96

SHA1
869a156f9bd21b06d896cafa66db628f7b5e9679

SHA256
5bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8

SHA512
ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c

Download Submit
C:\Windows\Fonts\Fonts.exe

Filesize
256KB

MD5
074ded651094fe1545d996add8e3df36

SHA1
9960378b363b6ff89d40a790e9cfe3f59c4004f8

SHA256
eda59f4181b638df6cc16b7267535e70a54699c3a53101d07c0287662f83d546

SHA512
13e15ee436e21ba7f5b4d3d90ce8f326d0926004d6f9e49ce827aae939a1e3c335a67709b6ca0b3a741268f935a7a36d52271077755022f3346972824f6ed56e

Download Submit
memory/1704-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1704-86-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads