Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 00:50
Static task
static1
Behavioral task
behavioral1
Sample
0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe
-
Size
428KB
-
MD5
0081117561dbbe476ca7c53d931272eb
-
SHA1
c63c2af8e87297fa66b6fdd8898b50b64a0c2e23
-
SHA256
69bd0504604bb8f94928e0bc4d710639f23d99ddeedd7036c8d6d19d26b6cd42
-
SHA512
cee68886a6d82a16e992bd68e33453d23f71c615771a6ab38a3a4ce691d69d16b4e85fb0c0a2d15443f1920ee686e33d19a49ed87422648eba321fd907a27155
-
SSDEEP
6144:Ibt2jtf5kORPWBqrqcGSDTE8snxL6SmyOI/z4JK8MtoBhO/Ilu+uzZ:HjXkk+QWcGSDTE99lOIr4Jhh5nuz
Malware Config
Extracted
cybergate
2.6
vítima
127.0.0.1:81
fenerli1907.no-ip.biz:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
svchost.exe
-
install_dir
windows
-
install_file
system.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windows\\system.exe" vbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windows\\system.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
vbc.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58}\StubPath = "C:\\Windows\\system32\\windows\\system.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58}\StubPath = "C:\\Windows\\system32\\windows\\system.exe" explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exesystem.exepid process 3620 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe 4484 system.exe -
Loads dropped DLL 3 IoCs
Processes:
0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exepid process 3620 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe 3620 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe 3620 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral2/memory/2420-36-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/2420-39-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/2420-40-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/2420-42-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/2420-46-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/2420-49-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/2420-181-0x0000000000400000-0x0000000000459000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exevbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rOaoWnZdErpjCyVqQVSdgvRSblgKZsMfaPuEFDIslsXkjzEGxX = "C:\\Users\\Admin\\AppData\\Local\\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe" 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\windows\\system.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\windows\\system.exe" vbc.exe -
Drops file in System32 directory 4 IoCs
Processes:
vbc.exevbc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\windows\system.exe vbc.exe File opened for modification C:\Windows\SysWOW64\windows\system.exe vbc.exe File opened for modification C:\Windows\SysWOW64\windows\ vbc.exe File created C:\Windows\SysWOW64\windows\system.exe vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exedescription pid process target process PID 3620 set thread context of 2420 3620 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
vbc.exevbc.exepid process 2420 vbc.exe 2420 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe 2876 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 2876 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 2876 vbc.exe Token: SeDebugPrivilege 2876 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 2420 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exevbc.exedescription pid process target process PID 3060 wrote to memory of 3620 3060 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe PID 3060 wrote to memory of 3620 3060 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe PID 3060 wrote to memory of 3620 3060 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe PID 3620 wrote to memory of 2420 3620 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe vbc.exe PID 3620 wrote to memory of 2420 3620 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe vbc.exe PID 3620 wrote to memory of 2420 3620 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe vbc.exe PID 3620 wrote to memory of 2420 3620 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe vbc.exe PID 3620 wrote to memory of 2420 3620 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe vbc.exe PID 3620 wrote to memory of 2420 3620 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe vbc.exe PID 3620 wrote to memory of 2420 3620 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe vbc.exe PID 3620 wrote to memory of 2420 3620 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe vbc.exe PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE PID 2420 wrote to memory of 3452 2420 vbc.exe Explorer.EXE
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca2⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding2⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding2⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe4⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"5⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\SysWOW64\windows\system.exe"C:\Windows\system32\windows\system.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe f911383b43e33a0fa1835ba8709267d9 qmyr5G8v2kOMZjPweHxrtQ.0.1.0.0.01⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe.logFilesize
319B
MD5600936e187ce94453648a9245b2b42a5
SHA13349e5da3f713259244a2cbcb4a9dca777f637ed
SHA2561493eb1dc75a64eb2eb06bc9eb2c864b78fc4a2c674108d5183ac7824013ff2d
SHA512d41203f93ed77430dc570e82dc713f09d21942d75d1f9c3c84135421550ac2fa3845b7e46df70d2c57fe97d3a88e43c672771bb8b6433c44584c4e64646c1964
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
240KB
MD56e4f978fe3aec19ca9498551e93678d0
SHA1bd74f4186eb34a6ec0bafc64617968c872079bad
SHA25681e6cd1275a3df0184b02fcdb5bcb31d27bf56c8f22e7f62bd1d8a2bd1140308
SHA51257448df1f3f494c2f3f1d7840ac2ee766f0ba2295a5a10fafb9c5560f66a3c17646a6bc4e53b928b999d8a00b78a83cb9b09686cc04e0a9df336d036037797f9
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD53605d3cacab0677c0cf4c8f712beae0d
SHA1ae1c8b4c5347f9a257ea88574251b169550ecd4a
SHA2563eff209ce8462413158b2d643d7daa17cd432d41923cb9fcce4a5201dc6c91bb
SHA512945ba0f6e57fd0dc92ded78bc1dadb6030e5c01f9b47c24de5382404e735f89eb55b7660d98b88818cd51f5fb60f83c3f9ca4e004df30019365786b846f69e6b
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5394c4c99d33de21667a4362729ec6a45
SHA1ae14afaba223202f85f9c0ace3b8d495c2bf0c36
SHA256ba9d07f4b2ccbdb5dead4addb899792efbc85284af12d093c0c80a3666ab6aed
SHA512622c41b396058a655bf8f8399266b1caf15996b11ee948348b194dce5fff45f8f7286a43e3878dd8380e9cc6b6ca2a95a7115331768da7da066961706fde6415
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5abe16d92b9e6feb2098a22f95747028f
SHA1da99cbcc0cd0ac7acc5453234d77a00ed24ea7d3
SHA2564d5c5d4702f1347c2411260e9ce9ea43089316071a25545a9c0266cb405763ad
SHA512a82ea2a7be3a8bb41db8c90660f94e94e2953e762c429c2edacaad60d7ecbe3d6b2e93ce52116f9df887cd6d7e5006a15fc660ee26ba1d912a67e3ac0f6b89bf
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD52149a1e3d51b2f22dc529da60b300370
SHA1f1c8d4304d5885b5439fa34e4aab8a52735117e9
SHA2564e1e6cf042bf5b5fca54178d20f34ae799b881cd7660ac2ee5f2befe3bdbb3f2
SHA5126d46b24226fd884db0c224f41a073a5a1bcb2caee58dc4b1fe0dbe373598859c2c87cf561e1f0c78f659657d7332d9dae216b604b90e09387ba9f68cafebed6e
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5b7e9b7c2773d1ba8848d001e6a51446e
SHA137195cdeb982a726582a212843a21e830a21d392
SHA256f207f7f2d5249cc1a1f79198fba39907592867d3dca334932bacf5744692f42f
SHA5127bd4e9ac9f2820407e4b522c403eb728c67a25d8cfcbee1e139457db60a0d53e080aa6f93396d9393a64c109b37bb1b48870b733f5e9009dee75797595da8dd3
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD50652ef583b4d5b0b61082e5b85117ef4
SHA1ae8eb9f4f4891d14464d4b673b0717cfc04bbc8b
SHA256f7a42bb071e7728debc67375a8a65880e8471c4f24b0ac22f07ec84ae3804fa7
SHA512634a28a6fd30fe63f12ee47e4076283fa50f9a292b780bae17094ed0d09e137581cb8e5440e8d29999deb052fd4e4227dcd487811ab03ad207ab2d1cbbc1c812
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5c521edbff8ee66a2c4a13a9b9fd3bf7b
SHA15ee01bf076c6098db51a9eba89fc8d52493ebc54
SHA2567379331c883aacfdbdc436a0bbf37dd8dd4dd66f85e299ad987321d9a042e9fb
SHA512bf7e6f2460371b82d782a9050f457e7558ac9535fa69df93a6c6d52eea69b920f38e93c1ac3fd16c459ecb82b00048df765505fe47c5b99c6a158612e56f779a
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5dfd40db1a5ac4e47f785fee37d988f4b
SHA1f8e002e340f9ff96d58299deda2a8ee9ebf9d4b8
SHA25668f24c47110fd079e05f1a25f46e2b3445b868076892e0d9a2c6ddf6bad8652b
SHA512f89a000716aca411f77614b43dc579709870ff32bfde38638e1f255f8a01db211ed783306f1ac83e33f6a246823b5bd705de303e34c04c407c341f1247594264
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD565a1af38189c50777abc38e95acd0141
SHA14ea2671bd0ee30647136232b5a3d8fc42a9d2b8b
SHA256fce96eb675da522eff8d078967bb45522c1dacea353cdc42ee13b934da50cbab
SHA512c7b891fab45e4e5763d53e35624868a84e5a570734d7177e158de02f913efbeddb1f50b9fd2aa893b236a7aa3f9730a4bf19f6e2fdfd83bcd65d3debd9301c07
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD552487f67988b549e9d67c87966c44ad3
SHA1d3847e3b32c9dbf4fdbbfbe1f8314680ae8f7faa
SHA25659f314dfa2dae8dd5fd3073bcacf2c86401d6ea192811ee1295e3c206d9f1c0c
SHA512485f29099743132f3e43a95c85bfb0d908cbb826b3ebdca00ff2e8cecca2d4170540835963d9bc035affc687d31a1f223db7547e221662b7e1f0edc8049489df
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD531e4d2c862b871b61db87bc03f589769
SHA11c852eca1eebf9c81f8047efec441f289752bb84
SHA256b6c425b7eee323c5f0fb95f2799ebd899a452a06b6f11a452da520d3534854b4
SHA512754ca63fd525fce808ff2f5b5ec15dbad28865c839b4293bc1c743f10a075cccd952a925d4e2b4532daeb530d0aea966cd480381e3ea62755897eecb7f63bb4e
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5e9ec478b7fc81ff30afb964e2a1884f3
SHA1b1407dcbe742612cc00eee8ba007bd9195e66161
SHA256bc6760c5c1bcf6d6a782e3b7303394e9c2ba626f32193b8a7224172f766f57d5
SHA51264e70177ab7f01ee5bbc0154a61385542b6375fa05e9b2fcbf294893dd6d5d57a0be86ba11188392745a638d379a1a6f4d5b9cacf1f91bc815fd5bb957adc522
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD50dde77501aa3545e82e2cef328bcf917
SHA1bd22714f0f21d4806c0a45c5651643a07c95d7fd
SHA256102d07742517b2fe6e4f12d27b08416a2924ca7c4b62c851dbb1dfa1453cde4c
SHA512462506aa4a9ed9a72b4a997297da8b33851463888926de16c2a669cdc85f7c2e662fedb2a1f4cd8a7e26695c3a0e581b5cda2f9e4e3c708ec920403154007acb
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD570dbb774adb0f58d86e7c6886f9ed949
SHA19e66b77663266b93222b4297efcbcda129077d6d
SHA2568be020a2539cc9129f8472e6a7d7b9bb4b595459d7b0ddf3c85effd963073999
SHA512ae92825e00add36262c5333c711a45ecc90d65a3bf3e945c86c410d44c1dfdaa7c975bcb6bc0432154a011602ea48e8beed8d7e23935ac38259e94296c8a76b3
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD547d49e4018023b366f56a8e63c8e6b18
SHA18400098f1fb7bc65a518ba214904a18bc7565ca7
SHA25674448383710bae14f755185dd3e62c8a70fd3fc6a5ac91ccb79e76312e43b4e2
SHA512a875f2c40b666e1ea587812a7d83aa48c8238f2dd58823b28c3fcd3a4f5e7d43da8663195a63fea6b79d37cbc9061aad0b6a6939a05a2de21c1e317a30408255
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5bd0d26cb524800b461a048de8981fcd4
SHA18f690b33aea03370d3bcbde04dc087852fe3b3fa
SHA256083bccdfb94f5e2950d39664955d1496e057cea9c2348bae29bc10cfb65637e7
SHA512ffc7ca07d3ba5325ebf693cb7c919381378b0c242c30f957d89ede2b7dabe1053834d2419a3debead28e9d9285de62ecf1eb27ae2f50226b74b51ff3a0ed5bf2
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD56fbcc8811c16666e889495fd75f1ecc6
SHA1fbfc9e56e5451f095b1a52b52306bde260c73d2a
SHA2565faec1cb9679012db719b6ea962140e934888e67d5a439fd733274ca818e69d6
SHA512b371d07baf558a7166339b558b910cb642f8907572af39ae342c0805a0615586714709dc3592e57361e22ac5546ab363eff5dd6bcf9b192e110d4d1558d44bf8
-
C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exeFilesize
428KB
MD50081117561dbbe476ca7c53d931272eb
SHA1c63c2af8e87297fa66b6fdd8898b50b64a0c2e23
SHA25669bd0504604bb8f94928e0bc4d710639f23d99ddeedd7036c8d6d19d26b6cd42
SHA512cee68886a6d82a16e992bd68e33453d23f71c615771a6ab38a3a4ce691d69d16b4e85fb0c0a2d15443f1920ee686e33d19a49ed87422648eba321fd907a27155
-
C:\Users\Admin\AppData\Roaming\Twain.dllFilesize
18KB
MD52153e2d85da316a0fe302227e0f9af88
SHA148b334c27d604ce7d89c9c825d211d26427176cf
SHA256645b30a3ef5cf05ad0df575fbbdbc05387b5493ce1778935b60d98681fea7bc0
SHA512647b0b95622c2e9086f072ccf110371b38953619b4cb6697e259165ce12e0dd1854bc6351abb8f693d052d730f8790d72929a8c822a26ac369c372478c1e4fac
-
C:\Users\Admin\AppData\Roaming\logs.datFilesize
15B
MD5e21bd9604efe8ee9b59dc7605b927a2a
SHA13240ecc5ee459214344a1baac5c2a74046491104
SHA25651a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA51242052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493
-
C:\Windows\SysWOW64\windows\system.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
memory/2420-49-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/2420-36-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2420-181-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2420-42-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2420-40-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2420-39-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2420-46-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/3060-19-0x0000000074EE0000-0x0000000075491000-memory.dmpFilesize
5.7MB
-
memory/3060-1-0x0000000074EE0000-0x0000000075491000-memory.dmpFilesize
5.7MB
-
memory/3060-0-0x0000000074EE2000-0x0000000074EE3000-memory.dmpFilesize
4KB
-
memory/3060-2-0x0000000074EE0000-0x0000000075491000-memory.dmpFilesize
5.7MB
-
memory/3620-41-0x0000000074EE0000-0x0000000075491000-memory.dmpFilesize
5.7MB
-
memory/3620-16-0x0000000074EE0000-0x0000000075491000-memory.dmpFilesize
5.7MB
-
memory/3620-18-0x0000000074EE0000-0x0000000075491000-memory.dmpFilesize
5.7MB
-
memory/4524-51-0x00000000010D0000-0x00000000010D1000-memory.dmpFilesize
4KB
-
memory/4524-50-0x0000000001010000-0x0000000001011000-memory.dmpFilesize
4KB
-
memory/4524-110-0x0000000000090000-0x00000000004C3000-memory.dmpFilesize
4.2MB
-
memory/4524-1311-0x0000000000090000-0x00000000004C3000-memory.dmpFilesize
4.2MB