Analysis Overview
SHA256
e7d0e2327e5f436800495cf2dd4f8c760da7e0bc5b1e9555c24e94e95140fc66
Threat Level: Known bad
The file 0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
Ramnit
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-25 18:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-25 18:27
Reported
2024-06-25 18:29
Platform
win10v2004-20240508-en
Max time kernel
58s
Max time network
120s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118.exe:*:enabled:@shell32.dll,-1" | C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118mgr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118mgr.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118mgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118mgr.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118mgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118mgr.exe
C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118mgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 212 -ip 212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 296
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x500
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | kblohd.com | udp |
| US | 8.8.8.8:53 | qubwcw.com | udp |
| US | 8.8.8.8:53 | osboks.com | udp |
| US | 8.8.8.8:53 | ayljin.com | udp |
| US | 8.8.8.8:53 | yoatei.com | udp |
| US | 8.8.8.8:53 | esuqux.com | udp |
| US | 8.8.8.8:53 | aiamxq.com | udp |
| US | 8.8.8.8:53 | ajidyr.com | udp |
| US | 8.8.8.8:53 | atippv.com | udp |
| US | 8.8.8.8:53 | xoommz.com | udp |
| US | 8.8.8.8:53 | ytamkm.com | udp |
| US | 8.8.8.8:53 | phyqlf.com | udp |
| US | 8.8.8.8:53 | omahsh.com | udp |
| US | 8.8.8.8:53 | mutajk.com | udp |
| US | 8.8.8.8:53 | uvrijx.com | udp |
| US | 8.8.8.8:53 | ivhoah.com | udp |
| US | 8.8.8.8:53 | puzghi.com | udp |
| US | 8.8.8.8:53 | fqttch.com | udp |
| US | 8.8.8.8:53 | jyidty.com | udp |
| US | 8.8.8.8:53 | oxjhep.com | udp |
| US | 8.8.8.8:53 | faboam.com | udp |
| US | 8.8.8.8:53 | joyify.com | udp |
| US | 8.8.8.8:53 | kwopoa.com | udp |
| US | 8.8.8.8:53 | mopylx.com | udp |
| US | 8.8.8.8:53 | ehvjue.com | udp |
| US | 8.8.8.8:53 | paaupu.com | udp |
| US | 8.8.8.8:53 | znjhgn.com | udp |
| US | 8.8.8.8:53 | xatwvs.com | udp |
| US | 8.8.8.8:53 | wbusfu.com | udp |
| US | 8.8.8.8:53 | lgdihw.com | udp |
| US | 8.8.8.8:53 | xkdnmi.com | udp |
| US | 8.8.8.8:53 | qcixpe.com | udp |
| US | 8.8.8.8:53 | bswadk.com | udp |
| US | 8.8.8.8:53 | wmsaff.com | udp |
| US | 8.8.8.8:53 | gxwuhz.com | udp |
| US | 8.8.8.8:53 | wcidpz.com | udp |
| US | 8.8.8.8:53 | uduwxe.com | udp |
| US | 8.8.8.8:53 | hzovmu.com | udp |
| US | 8.8.8.8:53 | yccbiy.com | udp |
| US | 8.8.8.8:53 | juvieq.com | udp |
| US | 8.8.8.8:53 | tagxte.com | udp |
| US | 8.8.8.8:53 | exqoeu.com | udp |
| US | 8.8.8.8:53 | xjqdkc.com | udp |
| US | 8.8.8.8:53 | bziuua.com | udp |
| US | 8.8.8.8:53 | nduvxv.com | udp |
| US | 8.8.8.8:53 | xrshda.com | udp |
| US | 8.8.8.8:53 | xbonei.com | udp |
| US | 8.8.8.8:53 | onnwca.com | udp |
| US | 8.8.8.8:53 | jsbpaf.com | udp |
| US | 8.8.8.8:53 | haiuup.com | udp |
| US | 8.8.8.8:53 | niuvua.com | udp |
| US | 8.8.8.8:53 | jpxiak.com | udp |
| US | 8.8.8.8:53 | lgutpz.com | udp |
| US | 8.8.8.8:53 | oladuk.com | udp |
| US | 8.8.8.8:53 | fosfty.com | udp |
| US | 8.8.8.8:53 | yekavn.com | udp |
| US | 8.8.8.8:53 | pxomzu.com | udp |
| US | 8.8.8.8:53 | wazyaa.com | udp |
| US | 8.8.8.8:53 | umsmpp.com | udp |
| US | 8.8.8.8:53 | azrkxe.com | udp |
| US | 8.8.8.8:53 | fvltuq.com | udp |
| US | 8.8.8.8:53 | gzpcou.com | udp |
| US | 8.8.8.8:53 | sjaphg.com | udp |
| US | 8.8.8.8:53 | azembh.com | udp |
| US | 8.8.8.8:53 | exilok.com | udp |
| US | 8.8.8.8:53 | hgancg.com | udp |
| US | 8.8.8.8:53 | dhcxli.com | udp |
| US | 8.8.8.8:53 | vzeukv.com | udp |
| US | 8.8.8.8:53 | gooyal.com | udp |
| IR | 212.23.216.74:443 | gooyal.com | tcp |
| US | 8.8.8.8:53 | 74.216.23.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nhjcou.com | udp |
| US | 8.8.8.8:53 | yijjrs.com | udp |
| US | 8.8.8.8:53 | bpnoor.com | udp |
| US | 8.8.8.8:53 | hbeoja.com | udp |
| US | 8.8.8.8:53 | zoeowj.com | udp |
| US | 8.8.8.8:53 | edwzjs.com | udp |
| HK | 156.234.1.45:443 | edwzjs.com | tcp |
| US | 8.8.8.8:53 | 45.1.234.156.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | otytkf.com | udp |
| US | 8.8.8.8:53 | rwivvk.com | udp |
| US | 8.8.8.8:53 | tspldr.com | udp |
| US | 8.8.8.8:53 | dvkpss.com | udp |
| US | 8.8.8.8:53 | pzyhvl.com | udp |
| US | 8.8.8.8:53 | svudoy.com | udp |
| US | 8.8.8.8:53 | aabuqy.com | udp |
| US | 8.8.8.8:53 | uzknfn.com | udp |
| US | 8.8.8.8:53 | ibihpx.com | udp |
| US | 8.8.8.8:53 | gtuzaf.com | udp |
| US | 8.8.8.8:53 | pnniay.com | udp |
| US | 8.8.8.8:53 | gacony.com | udp |
| US | 8.8.8.8:53 | maieka.com | udp |
| US | 8.8.8.8:53 | qsbqdg.com | udp |
| US | 8.8.8.8:53 | ypadsk.com | udp |
| US | 8.8.8.8:53 | oyaqnp.com | udp |
| US | 8.8.8.8:53 | chlotu.com | udp |
| US | 8.8.8.8:53 | nmqeae.com | udp |
| US | 8.8.8.8:53 | quvogv.com | udp |
| US | 8.8.8.8:53 | brvkmd.com | udp |
| US | 8.8.8.8:53 | uxuyei.com | udp |
| US | 8.8.8.8:53 | cfubcu.com | udp |
| US | 8.8.8.8:53 | wbqcdg.com | udp |
| US | 8.8.8.8:53 | hborxz.com | udp |
Files
memory/2708-0-0x0000000000400000-0x0000000000440000-memory.dmp
memory/212-4-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118mgr.exe
| MD5 | d0cf057b8ed976606587c8f872293212 |
| SHA1 | ca7854e660293fdd1c4daa95e0af88342067b58e |
| SHA256 | 5dff0de15eeaf6e045817fb4658339b568dcd2c6454375d579dd1d8025102db4 |
| SHA512 | 2ec9941f8eb6c82fb6f4d00a4cf44de001067a2c5fe48b217289173db0f8de2bddaf43a150ea02400096f0219541ce57ae91da9c0e88232eb9382e55c2c2e37d |
memory/2708-6-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/2708-8-0x0000000077583000-0x0000000077584000-memory.dmp
memory/2708-7-0x0000000077582000-0x0000000077583000-memory.dmp
memory/2708-9-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/2708-10-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/212-11-0x00000000005E0000-0x00000000005E1000-memory.dmp
memory/212-12-0x0000000000400000-0x000000000046E000-memory.dmp
memory/2708-13-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/2708-14-0x000000007FE40000-0x000000007FE4C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 18:27
Reported
2024-06-25 18:29
Platform
win7-20240611-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118mgr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118mgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118mgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118mgr.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118mgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118mgr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1622449210-1925294778-89761166344252798-995134187-16252969049579706541543104410"
C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118mgr.exe
C:\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118mgr.exe
Network
Files
memory/2024-0-0x0000000000400000-0x0000000000440000-memory.dmp
\Users\Admin\AppData\Local\Temp\0f1670b2bf9c98d525d189a527cb4b77_JaffaCakes118mgr.exe
| MD5 | d0cf057b8ed976606587c8f872293212 |
| SHA1 | ca7854e660293fdd1c4daa95e0af88342067b58e |
| SHA256 | 5dff0de15eeaf6e045817fb4658339b568dcd2c6454375d579dd1d8025102db4 |
| SHA512 | 2ec9941f8eb6c82fb6f4d00a4cf44de001067a2c5fe48b217289173db0f8de2bddaf43a150ea02400096f0219541ce57ae91da9c0e88232eb9382e55c2c2e37d |
memory/2900-11-0x0000000000400000-0x000000000046E000-memory.dmp
memory/2024-9-0x00000000002B0000-0x000000000031E000-memory.dmp
memory/2024-8-0x00000000002B0000-0x000000000031E000-memory.dmp
memory/2900-13-0x0000000077620000-0x0000000077621000-memory.dmp
memory/2024-12-0x000000007761F000-0x0000000077620000-memory.dmp
memory/2900-16-0x0000000000400000-0x000000000046E000-memory.dmp
memory/2900-17-0x0000000000400000-0x000000000046E000-memory.dmp
memory/2900-15-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/2900-14-0x0000000000280000-0x0000000000281000-memory.dmp