Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/06/2024, 23:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe
-
Size
42KB
-
MD5
0b2d88e02b879c09b5a615cf670e592a
-
SHA1
156dea84ee8b56c8e45459358d54f41be0876fb8
-
SHA256
db94bfc9678d07f1c93a7880fdbdda84aa61193500fc0824803d583b637bef2d
-
SHA512
89035bffb6c7a7971ea231f36b9f0fdae644c52e822a3288cb42d47332e25e55fe88cf576064875aa8f3b701862b21d09b2f251260bc6021df1712c126906f71
-
SSDEEP
768:5sGgkgs9PuO7wd/xAfCK3j/7ZEEALZGXwnvN5BMCt:5sLs9uOEdcCK3z7ZEE6GXwl5R
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4275527.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6275522.exe" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4275527.exe\"" 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4275527.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6275522.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6275522.exe" 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6275522.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4275527.exe\"" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6275522.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4275527.exe\"" qm4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6275522.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4275527.exe\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6275522.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4275527.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4275527.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6275522.exe" qm4623.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qm4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" m4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qm4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" m4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe -
Adds policy Run key to start application 2 TTPs 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4353c = "\"C:\\Windows\\_default27552.pif\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4353c = "\"C:\\Windows\\_default27552.pif\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4353c = "\"C:\\Windows\\_default27552.pif\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4353c = "\"C:\\Windows\\_default27552.pif\"" qm4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" qm4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4353c = "\"C:\\Windows\\_default27552.pif\"" m4623.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4353c = "\"C:\\Windows\\_default27552.pif\"" 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4353c = "\"C:\\Windows\\_default27552.pif\"" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4353c = "\"C:\\Windows\\_default27552.pif\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" m4623.exe -
Disables RegEdit via registry modification 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qm4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" m4623.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts csrss.exe -
Executes dropped EXE 7 IoCs
pid Process 2572 smss.exe 2440 winlogon.exe 2764 services.exe 1868 csrss.exe 1588 lsass.exe 2308 qm4623.exe 2360 m4623.exe -
Loads dropped DLL 15 IoCs
pid Process 2968 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe 2968 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe 2572 smss.exe 2572 smss.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 1588 lsass.exe -
Adds Run key to start application 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4353c = "\"C:\\Windows\\j6275522.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4353c = "\"C:\\Windows\\j6275522.exe\"" qm4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" m4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4353c = "\"C:\\Windows\\j6275522.exe\"" 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4353c = "\"C:\\Windows\\j6275522.exe\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4353c = "\"C:\\Windows\\j6275522.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4353c = "\"C:\\Windows\\j6275522.exe\"" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4353c = "\"C:\\Windows\\j6275522.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4353c = "\"C:\\Windows\\j6275522.exe\"" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" qm4623.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\K: lsass.exe File opened (read-only) \??\M: lsass.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\G: lsass.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\U: lsass.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\I: lsass.exe File opened (read-only) \??\J: lsass.exe File opened (read-only) \??\N: lsass.exe File opened (read-only) \??\O: lsass.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\T: lsass.exe File opened (read-only) \??\V: lsass.exe File opened (read-only) \??\X: lsass.exe File opened (read-only) \??\L: lsass.exe File opened (read-only) \??\P: lsass.exe File opened (read-only) \??\Q: lsass.exe File opened (read-only) \??\R: lsass.exe File opened (read-only) \??\Y: lsass.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\s4827\smss.exe csrss.exe File created C:\Windows\SysWOW64\s4827\smss.exe qm4623.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exe 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\s4827 csrss.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe qm4623.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll lsass.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\c_27552k.com csrss.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe m4623.exe File created C:\Windows\SysWOW64\s4827\c.bron.tok.txt lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll m4623.exe File opened for modification C:\Windows\SysWOW64\s4827\csrss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\s4827\domlist.txt lsass.exe File created C:\Windows\SysWOW64\s4827\brdom.bat lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll winlogon.exe File created C:\Windows\SysWOW64\s4827\lsass.exe winlogon.exe File created C:\Windows\SysWOW64\s4827\smss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\s4827 m4623.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exe m4623.exe File opened for modification C:\Windows\SysWOW64\c_27552k.com smss.exe File opened for modification C:\Windows\SysWOW64\s4827 services.exe File created C:\Windows\SysWOW64\s4827\smss.exe services.exe File opened for modification C:\Windows\SysWOW64\s4827 lsass.exe File created C:\Windows\SysWOW64\s4827\smss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\s4827\getdomlist.txt lsass.exe File opened for modification C:\Windows\SysWOW64\c_27552k.com 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\c_27552k.com winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\services.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\brdom.bat lsass.exe File created C:\Windows\SysWOW64\s4827\winlogon.exe smss.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe qm4623.exe File opened for modification C:\Windows\SysWOW64\c_27552k.com m4623.exe File created C:\Windows\SysWOW64\s4827\getdomlist.txt cmd.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe File created C:\Windows\SysWOW64\s4827\smss.exe 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\s4827\lsass.exe winlogon.exe File created C:\Windows\SysWOW64\s4827\services.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\c_27552k.com qm4623.exe File created C:\Windows\SysWOW64\s4827\domlist.txt cmd.exe File opened for modification C:\Windows\SysWOW64\s4827 winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin smss.exe File opened for modification C:\Windows\SysWOW64\s4827 smss.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin smss.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe services.exe File opened for modification C:\Windows\SysWOW64\c_27552k.com services.exe File opened for modification C:\Windows\SysWOW64\c_27552k.com lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qm4623.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\s4827\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\s4827\csrss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827 qm4623.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe csrss.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe lsass.exe File opened for modification C:\Windows\SysWOW64\s4827 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe smss.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe services.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll services.exe File created C:\Windows\SysWOW64\s4827\m4623.exe winlogon.exe -
Drops file in Windows directory 37 IoCs
description ioc Process File opened for modification C:\Windows\j6275522.exe csrss.exe File created C:\Windows\j6275522.exe 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe File created C:\Windows\_default27552.pif 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe File opened for modification C:\Windows\o4275527.exe smss.exe File opened for modification C:\Windows\j6275522.exe qm4623.exe File opened for modification C:\Windows\j6275522.exe 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe File opened for modification C:\Windows\j6275522.exe smss.exe File opened for modification C:\Windows\_default27552.pif winlogon.exe File opened for modification C:\Windows\j6275522.exe m4623.exe File opened for modification C:\Windows\o4275527.exe 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe File opened for modification C:\Windows\_default27552.pif smss.exe File opened for modification C:\Windows\j6275522.exe lsass.exe File opened for modification C:\Windows\o4275527.exe winlogon.exe File opened for modification C:\Windows\_default27552.pif csrss.exe File opened for modification C:\Windows\o4275527.exe m4623.exe File created C:\Windows\_default27552.pif qm4623.exe File created C:\Windows\_default27552.pif m4623.exe File created C:\Windows\o4275527.exe 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe File opened for modification C:\Windows\j6275522.exe services.exe File opened for modification C:\Windows\_default27552.pif services.exe File created C:\Windows\o4275527.exe lsass.exe File opened for modification C:\Windows\_default27552.pif lsass.exe File created C:\Windows\o4275527.exe m4623.exe File opened for modification C:\Windows\o4275527.exe csrss.exe File opened for modification C:\Windows\o4275527.exe qm4623.exe File created C:\Windows\o4275527.exe qm4623.exe File opened for modification C:\Windows\_default27552.pif qm4623.exe File created C:\Windows\j6275522.exe m4623.exe File opened for modification C:\Windows\Ad10218 winlogon.exe File opened for modification C:\Windows\Ad10218\qm4623.exe winlogon.exe File created C:\Windows\j6275522.exe qm4623.exe File created C:\Windows\Ad10218\qm4623.exe winlogon.exe File opened for modification C:\Windows\o4275527.exe lsass.exe File opened for modification C:\Windows\_default27552.pif m4623.exe File opened for modification C:\Windows\_default27552.pif 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe File opened for modification C:\Windows\j6275522.exe winlogon.exe File opened for modification C:\Windows\o4275527.exe services.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Discovers systems in the same network 1 TTPs 2 IoCs
pid Process 2436 net.exe 864 net.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe 2440 winlogon.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2968 wrote to memory of 2572 2968 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe 29 PID 2968 wrote to memory of 2572 2968 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe 29 PID 2968 wrote to memory of 2572 2968 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe 29 PID 2968 wrote to memory of 2572 2968 0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe 29 PID 2572 wrote to memory of 2440 2572 smss.exe 31 PID 2572 wrote to memory of 2440 2572 smss.exe 31 PID 2572 wrote to memory of 2440 2572 smss.exe 31 PID 2572 wrote to memory of 2440 2572 smss.exe 31 PID 2440 wrote to memory of 2764 2440 winlogon.exe 33 PID 2440 wrote to memory of 2764 2440 winlogon.exe 33 PID 2440 wrote to memory of 2764 2440 winlogon.exe 33 PID 2440 wrote to memory of 2764 2440 winlogon.exe 33 PID 2440 wrote to memory of 1868 2440 winlogon.exe 35 PID 2440 wrote to memory of 1868 2440 winlogon.exe 35 PID 2440 wrote to memory of 1868 2440 winlogon.exe 35 PID 2440 wrote to memory of 1868 2440 winlogon.exe 35 PID 2440 wrote to memory of 1588 2440 winlogon.exe 37 PID 2440 wrote to memory of 1588 2440 winlogon.exe 37 PID 2440 wrote to memory of 1588 2440 winlogon.exe 37 PID 2440 wrote to memory of 1588 2440 winlogon.exe 37 PID 2440 wrote to memory of 2308 2440 winlogon.exe 39 PID 2440 wrote to memory of 2308 2440 winlogon.exe 39 PID 2440 wrote to memory of 2308 2440 winlogon.exe 39 PID 2440 wrote to memory of 2308 2440 winlogon.exe 39 PID 2440 wrote to memory of 2360 2440 winlogon.exe 41 PID 2440 wrote to memory of 2360 2440 winlogon.exe 41 PID 2440 wrote to memory of 2360 2440 winlogon.exe 41 PID 2440 wrote to memory of 2360 2440 winlogon.exe 41 PID 2440 wrote to memory of 856 2440 winlogon.exe 43 PID 2440 wrote to memory of 856 2440 winlogon.exe 43 PID 2440 wrote to memory of 856 2440 winlogon.exe 43 PID 2440 wrote to memory of 856 2440 winlogon.exe 43 PID 2440 wrote to memory of 2384 2440 winlogon.exe 45 PID 2440 wrote to memory of 2384 2440 winlogon.exe 45 PID 2440 wrote to memory of 2384 2440 winlogon.exe 45 PID 2440 wrote to memory of 2384 2440 winlogon.exe 45 PID 2440 wrote to memory of 1476 2440 winlogon.exe 47 PID 2440 wrote to memory of 1476 2440 winlogon.exe 47 PID 2440 wrote to memory of 1476 2440 winlogon.exe 47 PID 2440 wrote to memory of 1476 2440 winlogon.exe 47 PID 1588 wrote to memory of 328 1588 lsass.exe 49 PID 1588 wrote to memory of 328 1588 lsass.exe 49 PID 1588 wrote to memory of 328 1588 lsass.exe 49 PID 1588 wrote to memory of 328 1588 lsass.exe 49 PID 328 wrote to memory of 2436 328 cmd.exe 51 PID 328 wrote to memory of 2436 328 cmd.exe 51 PID 328 wrote to memory of 2436 328 cmd.exe 51 PID 328 wrote to memory of 2436 328 cmd.exe 51 PID 1588 wrote to memory of 2796 1588 lsass.exe 52 PID 1588 wrote to memory of 2796 1588 lsass.exe 52 PID 1588 wrote to memory of 2796 1588 lsass.exe 52 PID 1588 wrote to memory of 2796 1588 lsass.exe 52 PID 2796 wrote to memory of 864 2796 cmd.exe 54 PID 2796 wrote to memory of 864 2796 cmd.exe 54 PID 2796 wrote to memory of 864 2796 cmd.exe 54 PID 2796 wrote to memory of 864 2796 cmd.exe 54
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0b2d88e02b879c09b5a615cf670e592a_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\s4827\smss.exe"C:\Windows\system32\s4827\smss.exe" ~Brontok~Log~2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\s4827\winlogon.exe"C:\Windows\system32\s4827\winlogon.exe" ~Brontok~Is~The~Best~3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\s4827\services.exe"C:\Windows\system32\s4827\services.exe" ~Brontok~Serv~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:2764
-
-
C:\Windows\SysWOW64\s4827\csrss.exe"C:\Windows\system32\s4827\csrss.exe" ~Brontok~SpreadMail~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:1868
-
-
C:\Windows\SysWOW64\s4827\lsass.exe"C:\Windows\system32\s4827\lsass.exe" ~Brontok~Network~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net view /domain > "C:\Windows\system32\s4827\domlist.txt"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\net.exenet view /domain6⤵
- Discovers systems in the same network
PID:2436
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\system32\s4827\brdom.bat" "5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\net.exenet view /domain:WORKGROUP6⤵
- Discovers systems in the same network
PID:864
-
-
-
-
C:\Windows\Ad10218\qm4623.exe"C:\Windows\Ad10218\qm4623.exe" ~Brontok~Back~Log~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:2308
-
-
C:\Windows\SysWOW64\s4827\m4623.exe"C:\Windows\system32\s4827\m4623.exe" ~Brontok~Back~Log~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:2360
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" /delete /y4⤵PID:856
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"4⤵PID:2384
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" 11:03 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"4⤵PID:1476
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD5b36ba34e2aa3ff061e067763560e18a3
SHA1cee7a1e0b3e87389473f94b75620eb32de44d331
SHA256d19c1665ff34fc9a706ab553754fe73c66bf3faf0ebf61ff8b12d016485283dd
SHA51243b413edd4f72f5a395c4051bd898127c742a58ab1439b953e28302c4c4f813b3dfefcfe78c000e69a9c1e0c6e57169bdf54a769181bc007c2119df85c173e6e
-
Filesize
42KB
MD50b2d88e02b879c09b5a615cf670e592a
SHA1156dea84ee8b56c8e45459358d54f41be0876fb8
SHA256db94bfc9678d07f1c93a7880fdbdda84aa61193500fc0824803d583b637bef2d
SHA51289035bffb6c7a7971ea231f36b9f0fdae644c52e822a3288cb42d47332e25e55fe88cf576064875aa8f3b701862b21d09b2f251260bc6021df1712c126906f71
-
Filesize
73B
MD56fc63a266767a5de3cc18f2b7ac5a703
SHA1d23d7f8b213e9a311e37d058499502bd207c448e
SHA2563d08ce4422af041981e6e9b0c55bceeaac098940c5e37f459fa22eb472390812
SHA512ee6b97e09d1a1de916771143235e545cccfab6d22d2355d5c7994a0c9aafcfd640bf78cbd19570dace378e4c1b8b784278c41c80d45a62ac60c75e944110976c
-
Filesize
42KB
MD59d0fdab2cf04b4546ce975a03ddb2eaf
SHA1c0cb61e8d947f031226b98a015a509c65516b7f2
SHA256d842bd8dc8a70ce6498709d76e1d7504e54dd4b7715262de2c1b44c4f4d4c163
SHA51204f995169647416fbb6525e0ee2a51fb8bbf0b74d801f5020165fdaf797b61edcd0fdb028f558cf39ffad738d45093cf10738403ac69c9388ba52d5cccd1e5a0
-
Filesize
42KB
MD512b10c8bcd5accdcfd8dce436579a99a
SHA19086af0af2b42dfa13d8f1b84bc6bf515ed13514
SHA25634482b8663522a8c24205ce492a40fd5d0916b0215079b09a332922d9f7ff4cf
SHA5123e0aa71497367a43609e891c164fca38238c09c17a1a66f4882a9bd166086fa2fe4e222306db495a70fa4b921992fd7be18c3b232f456afed52399e005d77bee
-
Filesize
42KB
MD580f31d2fe20931aefb069b31be9066ee
SHA1f80fa6da3c85e8a21e6bf6cf5a75b2a79bfb0dea
SHA2562c6ec25499787ec03bd74983e8a5147fa080e6ea068045a7d1a7a7ad58500ccc
SHA512ddb941a96ebb3d6c5abd749eb8276b46e52c82c18326d94b2183d785ad141eaf83b9d508ca9e35d942058d0aa37414398a3580d2bfc5a9ef800af36794261cb9