Analysis Overview
SHA256
08b29bebdc1352bb5c37382f3e32a712d12e217339417e99cd278606c2b06004
Threat Level: Likely malicious
The file 12311cc235e275dcc60a730d871f58a0_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Drops file in Drivers directory
Deletes itself
Loads dropped DLL
Executes dropped EXE
Impair Defenses: Safe Mode Boot
Adds Run key to start application
Enumerates connected drives
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 13:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 13:47
Reported
2024-06-26 13:50
Platform
win7-20240508-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\ = "360safe" | C:\Windows\Tasks\kav32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath = "%windir%\\Tasks\\pig.vbs" | C:\Windows\Tasks\kav32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK} | C:\Windows\Tasks\kav32.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\Tasks\kav32.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Tasks\kav32.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WINDEFEND | C:\Windows\Tasks\kav32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\POWER | C:\Windows\Tasks\kav32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PROFSVC | C:\Windows\Tasks\kav32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\Tasks\kav32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\Tasks\kav32.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\Tasks\kav32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Games\Hearts\de-DE\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\meta\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\skins\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\management\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\es\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\More Games\fr-FR\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\de\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Mahjong\es-ES\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Solitaire\ja-JP\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\meta\art\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Backgammon\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\fr\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\is\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ast\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\stream_filter\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\skins\fonts\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\server\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\es-ES\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\d3d11\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\services_discovery\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\FreeCell\en-US\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\jfr\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\demux\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\images\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Chess\de-DE\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\security\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Purble Place\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ku_IQ\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\tr\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\×¢²á.bat | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Windows\Tasks\×¢²á.bat | C:\Windows\Tasks\kav32.exe | N/A |
| File created | C:\Windows\Tasks\wsock33.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File created | C:\Windows\Tasks\kav32.exe | C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\Tasks\kav32.exe | C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe | N/A |
| File created | C:\Windows\Tasks\pig.vbs | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Windows\Tasks\pig.vbs | C:\Windows\Tasks\kav32.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Tasks\kav32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\dek.bat
C:\Windows\SysWOW64\ipconfig.exe
ipconfig
C:\Windows\Tasks\kav32.exe
C:\Windows\Tasks\kav32.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
Files
C:\dek.bat
| MD5 | 6d97bc1c912edb0c8b36bd0933e016e2 |
| SHA1 | 8cd68b46e047b567a5e83c460c515a2ff3d0bedd |
| SHA256 | 98419ee23036b7f7b95621474cb4565928f68b13c726ffdb38bc6657b94aa2f3 |
| SHA512 | ec2ef33d409e50ca79f0e47d2ca091b5709e5bb9437c7938dcbf02b6d5319362659a4e5eba3fed23828d02f999aec28a79cc84f45483a260a8140442a92faec4 |
\Windows\Tasks\kav32.exe
| MD5 | e053b0e34ed7e0304db7e14368bfb4bf |
| SHA1 | d416d0db61246a9c007672ce25bbe44752ffb7be |
| SHA256 | c4f556508e85fc2f1199a8cc22946537d83a939dbaa4dec46e7315561d8a847a |
| SHA512 | 1d2b194f149848012b9bef32688762cda40d454bd1f7d8af7aa0b50fc754e264b7d5bf2b800dcb6279cd08645bc18e572588eea7b9a36fbe30626f6a93e9e04d |
C:\Windows\Tasks\pig.vbs
| MD5 | 93511c0c00557b8222622f1b1b94490d |
| SHA1 | 2fffbe81f874d1941efa9b6dc7735d88179c66bc |
| SHA256 | 944dec2284cc789df1cd0d81dd65de6a39d5bd60be9317bdca93acd9359f16ff |
| SHA512 | e0cae4aab8ed14cd1e4c2372020f50cc28f93a99719eb9973b136bb38c05cef0da0f8d994e5af5e6fa7be64bb6b7fc8afab2e980563af51db9027fb67e759aef |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 6da7c967eefb1285a128b117468478f1 |
| SHA1 | 337d5061de98819a3ab9613310611d5d691f769c |
| SHA256 | 2b4590d13dc6eca9c6df1a210e9f5071b8785feef59bcdd36c13f8e34e321e12 |
| SHA512 | ab94f37518b0bc410206013d2768736dd677ddaf7d7373403e6e052e28b136385e9673e78aab013000cb2797510700eb9bd4d9d8d8f84c0e62b6ed2f3a66e7d7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 13:47
Reported
2024-06-26 13:50
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath = "%windir%\\Tasks\\pig.vbs" | C:\Windows\Tasks\kav32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK} | C:\Windows\Tasks\kav32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\ = "360safe" | C:\Windows\Tasks\kav32.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\Tasks\kav32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Tasks\kav32.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\PROFSVC | C:\Windows\Tasks\kav32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\SERCX2.SYS | C:\Windows\Tasks\kav32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\USERMANAGER | C:\Windows\Tasks\kav32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\CBDHSVC | C:\Windows\Tasks\kav32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\IAI2C.SYS | C:\Windows\Tasks\kav32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\POWER | C:\Windows\Tasks\kav32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | C:\Windows\Tasks\kav32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\Tasks\kav32.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\Tasks\kav32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\de-DE\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fi-FI\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Integration\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\Document Parts\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1036\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\management\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\fre\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\fr-FR\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\images\cursors\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\es-ES\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\it-IT\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\uk-UA\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\zh-TW\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\FPA_f7\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B8436FDE-48B5-46DA-A041-D5945D20D942\root\vfs\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\legal\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\amd64\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\BORDERS\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\lt-LT\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\pt-BR\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\de-DE\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\wsock32.dll | C:\Windows\Tasks\kav32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\kav32.exe | C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\Tasks\kav32.exe | C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe | N/A |
| File created | C:\Windows\Tasks\pig.vbs | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Windows\Tasks\pig.vbs | C:\Windows\Tasks\kav32.exe | N/A |
| File created | C:\Windows\Tasks\×¢²á.bat | C:\Windows\Tasks\kav32.exe | N/A |
| File opened for modification | C:\Windows\Tasks\×¢²á.bat | C:\Windows\Tasks\kav32.exe | N/A |
| File created | C:\Windows\Tasks\wsock33.dll | C:\Windows\Tasks\kav32.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Tasks\kav32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\dek.bat
C:\Windows\SysWOW64\ipconfig.exe
ipconfig
C:\Windows\Tasks\kav32.exe
C:\Windows\Tasks\kav32.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.1:139 | tcp | |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.1:139 | tcp | |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.1:139 | tcp | |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
| US | 8.8.8.8:53 | www.indexgg.cn | udp |
Files
\??\c:\dek.bat
| MD5 | 6d97bc1c912edb0c8b36bd0933e016e2 |
| SHA1 | 8cd68b46e047b567a5e83c460c515a2ff3d0bedd |
| SHA256 | 98419ee23036b7f7b95621474cb4565928f68b13c726ffdb38bc6657b94aa2f3 |
| SHA512 | ec2ef33d409e50ca79f0e47d2ca091b5709e5bb9437c7938dcbf02b6d5319362659a4e5eba3fed23828d02f999aec28a79cc84f45483a260a8140442a92faec4 |
C:\Windows\Tasks\kav32.exe
| MD5 | e053b0e34ed7e0304db7e14368bfb4bf |
| SHA1 | d416d0db61246a9c007672ce25bbe44752ffb7be |
| SHA256 | c4f556508e85fc2f1199a8cc22946537d83a939dbaa4dec46e7315561d8a847a |
| SHA512 | 1d2b194f149848012b9bef32688762cda40d454bd1f7d8af7aa0b50fc754e264b7d5bf2b800dcb6279cd08645bc18e572588eea7b9a36fbe30626f6a93e9e04d |
C:\Windows\Tasks\pig.vbs
| MD5 | 93511c0c00557b8222622f1b1b94490d |
| SHA1 | 2fffbe81f874d1941efa9b6dc7735d88179c66bc |
| SHA256 | 944dec2284cc789df1cd0d81dd65de6a39d5bd60be9317bdca93acd9359f16ff |
| SHA512 | e0cae4aab8ed14cd1e4c2372020f50cc28f93a99719eb9973b136bb38c05cef0da0f8d994e5af5e6fa7be64bb6b7fc8afab2e980563af51db9027fb67e759aef |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 6da7c967eefb1285a128b117468478f1 |
| SHA1 | 337d5061de98819a3ab9613310611d5d691f769c |
| SHA256 | 2b4590d13dc6eca9c6df1a210e9f5071b8785feef59bcdd36c13f8e34e321e12 |
| SHA512 | ab94f37518b0bc410206013d2768736dd677ddaf7d7373403e6e052e28b136385e9673e78aab013000cb2797510700eb9bd4d9d8d8f84c0e62b6ed2f3a66e7d7 |