Analysis Overview
SHA256
41a172ec0f296a206c693534a2186ba8f5dad0835f19317eb96e495b3e511096
Threat Level: Known bad
The file 119aaa372d0901515c8f5555ef04359c_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Modifies visibility of file extensions in Explorer
Adds policy Run key to start application
Executes dropped EXE
Impair Defenses: Safe Mode Boot
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 10:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 10:00
Reported
2024-06-26 10:03
Platform
win7-20240221-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\windows\hosts.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\windows\hosts.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IZKCKOTP = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IZKCKOTP = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IZKCKOTP = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Windows\SysWOW64\REG.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\windows\hosts.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\W_X_C.bat | C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\windows\hosts.exe | N/A |
| File created | C:\windows\W_X_C.vbs | C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe"
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
Network
Files
\Users\Admin\AppData\Local\Temp\avscan.exe
| MD5 | 013c8d1a12c99688b5d8b1616261ef2e |
| SHA1 | 14fdc8aaaf39e1fa6641bf68d1e8f718b47566f4 |
| SHA256 | 25f4e8b7d30c3a01254d472fdc153ef6080f57d6a68d9514f906db8a2af40cd5 |
| SHA512 | eb18c84010928eb0c0861811c929cd1d5e141a451d6dfc96c0482488f2bf67c637b1993ddf8432ea390de4bae3d177c500ebe93c67e22a76994645b181356ab2 |
C:\Windows\hosts.exe
| MD5 | 86d54c4e801c82ed12020eba678a0c3d |
| SHA1 | d00b0ccac771a4895ef4bf23a41a8fcfbcef32e7 |
| SHA256 | 47f092937ed03f04a91a0105ef4f76dd86b1d3db3ea0f4947cb3bbb51271b254 |
| SHA512 | d288f9a68d6c3413dd732ef44b750a37d91578b90a94bb4d87759efd33d74e241e991dc3dd6fd007d2b3785a546f38b403f03f0255cc9d4a539dc1e0ba86b4f8 |
\??\c:\windows\W_X_C.bat
| MD5 | 4db9f8b6175722b62ececeeeba1ce307 |
| SHA1 | 3b3ba8414706e72a6fa19e884a97b87609e11e47 |
| SHA256 | d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78 |
| SHA512 | 1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b |
C:\Windows\W_X_C.vbs
| MD5 | 953cf5c915c9c58501354c4826dea466 |
| SHA1 | 2934232a159f5c3738212aa3ece4cdd45ba8cfe4 |
| SHA256 | bbdb3fb588b1aca990fbc6355f577bdd40c60e69d9951142da5e8dc84e0b33ed |
| SHA512 | 77472ee7f75bee37380d22c14e698b07240c0177b1b4850b72b5ee05136cf17ac3e391b26c6876bfed15049326cd0e2717d0f1de8c4fffba4cd83446218c3147 |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | c431bc744cfbb85feb9678cf865f244b |
| SHA1 | 342c1d30e391a2a9a3a6ae39f93880bedc5b5ea1 |
| SHA256 | 704185609596a555ba9e1865cfafef71b5237467124e440f58261701b7beb133 |
| SHA512 | 67ca2e14cad1c167666dd4756c9386dac7a1e0a9b9767e23be8787e81e96085bc39d031a27dd8611b516c791434bb09b81c671a8c8c8a0521347258c11ce30f4 |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | 3b49a5581c3ed6210efceb0d06105c37 |
| SHA1 | 58e7e6e78a3fcba17937e3d4f982130d4548aa6f |
| SHA256 | eb5f6fd5b32a91052a2b37e65effd76bbc44ff9538f39cf15ccce96f4cd239fc |
| SHA512 | a18aaf93885c028be0d0883e95dcded1dc02a0c6c9798e5d97f1ba0ec1ad13bfc2e2dfb5c340c7c973a29f89d0af336bd67f4c02a5fbd02810da4adc6ea6d4b1 |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | 5889ffa844a00368d3096bd0603e3f3c |
| SHA1 | 5b54d95244bc4de72a474603229becc9ece54259 |
| SHA256 | acda67924344ffa381e92844de633355b8a485431ebb3d435bab5e48fecba1b5 |
| SHA512 | 47acac2d1dee7f7dd56a9fb322e25bf36f023fbc014b849189f2b23e639a7b015d67d60974489be8ded6b3a7b097d5bfc54004f0a9e8ce5afaed9651f9c7225a |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | 7cde3d52f8d2fede6f2893e4d6f70f03 |
| SHA1 | 228634dab63379db3ea3c9f95a82b7d6cb8453ab |
| SHA256 | c813cba0561d939db3feacc048953022d65237cd41b6b7ea78d5de74efc05d60 |
| SHA512 | a34e9c52d7c9ae5889ca114643b4c86f9ea5d7eb4a92220b04ef110b909466b8e0897ca906b0815c6953c791d22cbfe38fa3428a4c4d2df57f3b75adbf107f2c |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | 85313e8658d906a53cf4b3a8259884ad |
| SHA1 | 704129bb5b706352022d6431ed86b739ca80720c |
| SHA256 | fccc0b58a0031882c85349dc223165c3f613b89d326250e675464ee8c42f058b |
| SHA512 | c6655c83ad3be366a6892d7260ccfa0734d6d75eaff75175eed12c5ce6d67ad55e05addca2fae2e9df0ab2b8e0f93d5391bf9cd8a93e5ebd28d29525e6adb92a |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | ff8f59afced69104020b873fe34d45dc |
| SHA1 | 71b79722bebe98bd909a837753b4f8370713f7d5 |
| SHA256 | b07099cfd726951824ca4ead9026a2fc5bc76499c2b9c613f4deb19d73ebbf23 |
| SHA512 | 09c03c927961474da193ae05abf192c0f80cfa6608c3a2ea0c2e8ab95d3eee86cdb6a162fa7b50a63a42e9bb001a3152c17c4f660abe6429574e3655529f2df7 |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | 507ef36ee349bd07178ea201bc3a5b94 |
| SHA1 | 2f882206885f31f9d7e43df631755fb1530aaa27 |
| SHA256 | bd016d96ef9165acedba2d7c643b363a876e4ea5b79e9ea9093de9d80178d872 |
| SHA512 | 88b2d80d767eeeec2af4d07e588bcc432c7ceb63f89b70ec7c5511a06b2f240f9152f4c0ac058d05c6a8d4991053ed6916c096d1abdad5d99c5a31703c845ac1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 10:00
Reported
2024-06-26 10:03
Platform
win10v2004-20240611-en
Max time kernel
133s
Max time network
102s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\windows\hosts.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\windows\hosts.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ENXQHETB = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ENXQHETB = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ENXQHETB = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Windows\SysWOW64\REG.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\windows\hosts.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\windows\W_X_C.vbs | C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe | N/A |
| File created | \??\c:\windows\W_X_C.bat | C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\windows\hosts.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe"
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 52.111.227.13:443 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\avscan.exe
| MD5 | 013c8d1a12c99688b5d8b1616261ef2e |
| SHA1 | 14fdc8aaaf39e1fa6641bf68d1e8f718b47566f4 |
| SHA256 | 25f4e8b7d30c3a01254d472fdc153ef6080f57d6a68d9514f906db8a2af40cd5 |
| SHA512 | eb18c84010928eb0c0861811c929cd1d5e141a451d6dfc96c0482488f2bf67c637b1993ddf8432ea390de4bae3d177c500ebe93c67e22a76994645b181356ab2 |
C:\Windows\hosts.exe
| MD5 | 86d54c4e801c82ed12020eba678a0c3d |
| SHA1 | d00b0ccac771a4895ef4bf23a41a8fcfbcef32e7 |
| SHA256 | 47f092937ed03f04a91a0105ef4f76dd86b1d3db3ea0f4947cb3bbb51271b254 |
| SHA512 | d288f9a68d6c3413dd732ef44b750a37d91578b90a94bb4d87759efd33d74e241e991dc3dd6fd007d2b3785a546f38b403f03f0255cc9d4a539dc1e0ba86b4f8 |
\??\c:\windows\W_X_C.bat
| MD5 | 4db9f8b6175722b62ececeeeba1ce307 |
| SHA1 | 3b3ba8414706e72a6fa19e884a97b87609e11e47 |
| SHA256 | d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78 |
| SHA512 | 1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b |
C:\Windows\W_X_C.vbs
| MD5 | 1037a3f26ea204e975ce9b80057454c9 |
| SHA1 | b22c9b474d7e673cf96400addc51c4cc6f539d8b |
| SHA256 | 0188d783fbd81cfca2cb417420a1a9855003300a1a6cc4470bbf72684b338e2f |
| SHA512 | f48e76ec3263320f9e7661c14a1315df32e670efe8c8a8a8f8b0a8c26943fd08f65cc2566aac1ac89598b4f0f9127180da5dbf25749accbd142654ecb9c820b3 |