Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 10:55
Behavioral task
behavioral1
Sample
15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
-
Size
197KB
-
MD5
15bcae517e5be46a385c5c79994c6e6e
-
SHA1
8d5a3cfa91d82f4f2c71ac7a277d4bb818959560
-
SHA256
2489d37b356fda9b26a6fe9320e3ef0bec0e657da55fdb2c11d98b3c3e739ec3
-
SHA512
8abaf8afa0030a44e5568fd0539a558975b1f7d7dbc1309085e20bcb2729e92949892c2d9762d75d013a2869e45f92d5d23e8ddfb7ee00bdb16a24f61e152e53
-
SSDEEP
6144:8Gjx6PxGvpPkdRpRc6at6oHW9k1UJADkau:8HcvpPkdRpRcNtvzDu
Malware Config
Signatures
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options SMSS.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options LSASS.EXE -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000c000000015605-76.dat acprotect -
Executes dropped EXE 11 IoCs
pid Process 2576 SMSS.EXE 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 2188 SMSS.EXE 1076 LSASS.EXE 1644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe 1640 LSASS.EXE 2348 SMSS.EXE 2960 SMSS.EXE 884 SMSS.EXE 940 SMSS.EXE 2516 SMSS.EXE -
Loads dropped DLL 25 IoCs
pid Process 2524 cmd.exe 2524 cmd.exe 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 2176 cmd.exe 2176 cmd.exe 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 1076 LSASS.EXE 1756 regsvr32.exe 1104 cmd.exe 1104 cmd.exe 1016 cmd.exe 1016 cmd.exe 608 cmd.exe 608 cmd.exe 1076 LSASS.EXE 1076 LSASS.EXE 940 SMSS.EXE 1276 cmd.exe 1276 cmd.exe -
resource yara_rule behavioral1/memory/3040-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000a000000015018-12.dat upx behavioral1/memory/3040-14-0x0000000002F30000-0x0000000002F5B000-memory.dmp upx behavioral1/memory/3040-17-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2644-19-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0008000000015616-31.dat upx behavioral1/memory/1076-40-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2644-52-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1640-54-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1640-67-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000c000000015605-76.dat upx behavioral1/memory/1076-80-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral1/memory/940-103-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral1/memory/1076-108-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1076-112-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1076-113-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1076-117-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1076-121-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1076-125-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1076-129-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1076-133-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1076-137-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1076-141-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1076-145-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1076-149-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1076-154-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1076-176-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1076-180-0x0000000000400000-0x000000000042B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe -
Checks for any installed AV software in registry 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService LSASS.EXE -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LSASS.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LSASS.EXE -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe File opened (read-only) \??\E: 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log File opened (read-only) \??\E: LSASS.EXE File opened (read-only) \??\E: LSASS.EXE -
Drops autorun.inf file 1 TTPs 13 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification D:\AUTORUN.INF 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log File opened for modification \??\E:\AUTORUN.INF LSASS.EXE File opened for modification D:\AUTORUN.INF LSASS.EXE File opened for modification \??\E:\AUTORUN.INF LSASS.EXE File opened for modification C:\AUTORUN.INF 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe File opened for modification D:\AUTORUN.INF 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF LSASS.EXE File opened for modification \??\E:\AUTORUN.INF 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log File opened for modification D:\AUTORUN.INF LSASS.EXE File opened for modification C:\AUTORUN.INF LSASS.EXE File created C:\AUTORUN.INF LSASS.EXE File opened for modification \??\E:\AUTORUN.INF 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log -
Drops file in System32 directory 20 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\com\bak LSASS.EXE File opened for modification C:\Windows\SysWOW64\com\SMSS.EXE 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log File created C:\Windows\SysWOW64\com\SMSS.EXE 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log File opened for modification C:\Windows\SysWOW64\com\LSASS.EXE 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log File created C:\Windows\SysWOW64\com\LSASS.EXE 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log File created C:\Windows\SysWOW64\00302.log LSASS.EXE File created C:\Windows\SysWOW64\00302.log LSASS.EXE File opened for modification C:\Windows\SysWOW64\com\netcfg.dll LSASS.EXE File opened for modification C:\Windows\SysWOW64\com\SMSS.EXE 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\com\SMSS.EXE LSASS.EXE File opened for modification C:\Windows\SysWOW64\com\LSASS.EXE LSASS.EXE File created C:\Windows\SysWOW64\com\netcfg.000 LSASS.EXE File created C:\Windows\SysWOW64\dnsq.dll LSASS.EXE File created C:\Windows\SysWOW64\com\netcfg.dll LSASS.EXE File opened for modification C:\Windows\SysWOW64\dnsq.dll LSASS.EXE File created C:\Windows\SysWOW64\00302.log 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe File created C:\Windows\SysWOW64\com\SMSS.EXE 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe File created C:\Windows\SysWOW64\00302.log 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log File opened for modification C:\Windows\SysWOW64\com\SMSS.EXE LSASS.EXE File opened for modification C:\Windows\SysWOW64\com\netcfg.000 LSASS.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main LSASS.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1\ = "131473" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1" regsvr32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 812 ping.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 1076 LSASS.EXE 1640 LSASS.EXE -
Suspicious behavior: LoadsDriver 4 IoCs
pid Process 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe Token: SeDebugPrivilege 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log Token: SeDebugPrivilege 1076 LSASS.EXE Token: SeDebugPrivilege 1640 LSASS.EXE Token: 33 1496 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1496 AUDIODG.EXE Token: 33 1496 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1496 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 1076 LSASS.EXE 1076 LSASS.EXE 1076 LSASS.EXE 1076 LSASS.EXE 1640 LSASS.EXE 1640 LSASS.EXE 1640 LSASS.EXE 1640 LSASS.EXE 1076 LSASS.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3040 wrote to memory of 2128 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 28 PID 3040 wrote to memory of 2128 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 28 PID 3040 wrote to memory of 2128 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 28 PID 3040 wrote to memory of 2128 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 28 PID 3040 wrote to memory of 1196 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 30 PID 3040 wrote to memory of 1196 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 30 PID 3040 wrote to memory of 1196 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 30 PID 3040 wrote to memory of 1196 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 30 PID 3040 wrote to memory of 2900 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 32 PID 3040 wrote to memory of 2900 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 32 PID 3040 wrote to memory of 2900 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 32 PID 3040 wrote to memory of 2900 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 32 PID 3040 wrote to memory of 2524 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 34 PID 3040 wrote to memory of 2524 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 34 PID 3040 wrote to memory of 2524 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 34 PID 3040 wrote to memory of 2524 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 34 PID 2524 wrote to memory of 2576 2524 cmd.exe 36 PID 2524 wrote to memory of 2576 2524 cmd.exe 36 PID 2524 wrote to memory of 2576 2524 cmd.exe 36 PID 2524 wrote to memory of 2576 2524 cmd.exe 36 PID 3040 wrote to memory of 2644 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 37 PID 3040 wrote to memory of 2644 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 37 PID 3040 wrote to memory of 2644 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 37 PID 3040 wrote to memory of 2644 3040 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 37 PID 2644 wrote to memory of 2152 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 38 PID 2644 wrote to memory of 2152 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 38 PID 2644 wrote to memory of 2152 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 38 PID 2644 wrote to memory of 2152 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 38 PID 2644 wrote to memory of 2548 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 40 PID 2644 wrote to memory of 2548 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 40 PID 2644 wrote to memory of 2548 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 40 PID 2644 wrote to memory of 2548 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 40 PID 2644 wrote to memory of 2136 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 41 PID 2644 wrote to memory of 2136 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 41 PID 2644 wrote to memory of 2136 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 41 PID 2644 wrote to memory of 2136 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 41 PID 2644 wrote to memory of 2460 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 43 PID 2644 wrote to memory of 2460 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 43 PID 2644 wrote to memory of 2460 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 43 PID 2644 wrote to memory of 2460 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 43 PID 2644 wrote to memory of 2596 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 44 PID 2644 wrote to memory of 2596 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 44 PID 2644 wrote to memory of 2596 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 44 PID 2644 wrote to memory of 2596 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 44 PID 2644 wrote to memory of 2324 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 48 PID 2644 wrote to memory of 2324 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 48 PID 2644 wrote to memory of 2324 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 48 PID 2644 wrote to memory of 2324 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 48 PID 2644 wrote to memory of 2852 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 50 PID 2644 wrote to memory of 2852 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 50 PID 2644 wrote to memory of 2852 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 50 PID 2644 wrote to memory of 2852 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 50 PID 2644 wrote to memory of 2176 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 52 PID 2644 wrote to memory of 2176 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 52 PID 2644 wrote to memory of 2176 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 52 PID 2644 wrote to memory of 2176 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 52 PID 2176 wrote to memory of 2188 2176 cmd.exe 54 PID 2176 wrote to memory of 2188 2176 cmd.exe 54 PID 2176 wrote to memory of 2188 2176 cmd.exe 54 PID 2176 wrote to memory of 2188 2176 cmd.exe 54 PID 2644 wrote to memory of 1076 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 55 PID 2644 wrote to memory of 1076 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 55 PID 2644 wrote to memory of 1076 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 55 PID 2644 wrote to memory of 1076 2644 15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log 55
Processes
-
C:\Users\Admin\AppData\Local\Temp\15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F2⤵PID:2128
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F2⤵PID:1196
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok2⤵PID:2900
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\SMSS.EXE c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe^|c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\com\SMSS.EXEC:\Windows\system32\com\SMSS.EXE c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe|c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log3⤵
- Executes dropped EXE
PID:2576
-
-
-
\??\c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log"c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F3⤵PID:2152
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F3⤵PID:2548
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Admin:F3⤵PID:2136
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Everyone:F3⤵PID:2460
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok3⤵PID:2596
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\SMSS.EXE"3⤵PID:2324
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del /F /Q "C:\Windows\system32\com\LSASS.EXE"3⤵PID:2852
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\SMSS.EXE c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.~^|c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\com\SMSS.EXEC:\Windows\system32\com\SMSS.EXE c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.~|c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe4⤵
- Executes dropped EXE
PID:2188
-
-
-
C:\Windows\SysWOW64\com\LSASS.EXE"C:\Windows\system32\com\LSASS.EXE"3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1076 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F4⤵PID:1364
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F4⤵PID:2420
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\LSASS.EXE /e /t /g Admin:F4⤵PID:1420
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\LSASS.EXE /e /t /g Everyone:F4⤵PID:2836
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Admin:F4⤵PID:2744
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Everyone:F4⤵PID:2060
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok4⤵PID:2132
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\SMSS.EXE"4⤵PID:1984
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\LSASS.EXE"4⤵PID:1776
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s4⤵
- Loads dropped DLL
- Modifies registry class
PID:1756
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|C:\pagefile.pif"4⤵
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\com\SMSS.EXEC:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|C:\pagefile.pif5⤵
- Executes dropped EXE
PID:2348
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|D:\pagefile.pif"4⤵
- Loads dropped DLL
PID:1016 -
C:\Windows\SysWOW64\com\SMSS.EXEC:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|D:\pagefile.pif5⤵
- Executes dropped EXE
PID:2960
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|E:\pagefile.pif"4⤵
- Loads dropped DLL
PID:608 -
C:\Windows\SysWOW64\com\SMSS.EXEC:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|E:\pagefile.pif5⤵
- Executes dropped EXE
PID:884
-
-
-
C:\Windows\SysWOW64\com\SMSS.EXEC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe4⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
PID:940
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"4⤵PID:1560
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\bak"4⤵PID:1704
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|D:\pagefile.pif"4⤵
- Loads dropped DLL
PID:1276 -
C:\Windows\SysWOW64\com\SMSS.EXEC:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|D:\pagefile.pif5⤵
- Executes dropped EXE
PID:2516
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\bak"4⤵PID:2252
-
-
C:\Windows\SysWOW64\ping.exeping.exe -f -n 1 www.baidu.com4⤵
- Runs ping.exe
PID:812
-
-
-
C:\Users\Admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe"C:\Users\Admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe"3⤵
- Executes dropped EXE
PID:1644
-
-
C:\Windows\SysWOW64\com\LSASS.EXE^c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log3⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1640 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F4⤵PID:772
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F4⤵PID:332
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\LSASS.EXE /e /t /g Admin:F4⤵PID:1328
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\LSASS.EXE /e /t /g Everyone:F4⤵PID:584
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Admin:F4⤵PID:1944
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Everyone:F4⤵PID:1632
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok4⤵PID:352
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\SMSS.EXE"4⤵PID:1120
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5741⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD58e336906e90cb3558fb9704d0921e27a
SHA159ad8af4982e287954ecf0afaa2f28bc1ba578bc
SHA2567c9b6f4a222d9b110ff7abecd2cd9ae7d4a7c8229e5c8b5a39da007127735897
SHA5120a6a13daccd9f149ef5417d87ff0d9dee0564fe42dcb2cd61782dc5af744e218f68c04ed2705eba8ab3c2867af81ad487f58efe3d620cd30c433e0d382efed24
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4H3PYALP\px[1].js
Filesize346B
MD5f84f931c0dd37448e03f0dabf4e4ca9f
SHA19c2c50edcf576453ccc07bf65668bd23c76e8663
SHA2565c1d5fd46a88611c31ecbb8ffc1142a7e74ec7fb7d72bd3891131c880ef3f584
SHA512afc3089d932fb030e932bf6414ac05681771051dd51d164f09635ca09cbd8525a52879524b6aa24e972e7766ddf529484cc1ec416de8b61255435a89ba781f8c
-
Filesize
44KB
MD5e63dcadc948e558dce82828078bd0661
SHA1517f75447adb13524d929251faa2fa79c93d8aad
SHA256511448c29fca76587f0e4a38ea2370726f5977e17850a904aedb1c58eecf0169
SHA5129a67916225fd484216746b4e9cefc3259cd154ad4fc33d2f8842ea8b141e3efbe4284ca740dde157d8df85244b3c35f54ac280a40f0d0f13144ba92667f59f9c
-
Filesize
32KB
MD5037b1e7798960e0420003d05bb577ee6
SHA1303a90020bf3beaf9acd0ea86487c853636a99a3
SHA256dee53d6d332dadd40c0ce34a425a6c0781f611765dcd4299d869f2b1ee80ae66
SHA512eb61bab7639d12895f60815d6d60e2cb307c4f6583c8f3f0268105471b8b9c18b17ef9e10771035bfa1a31a78e1ceb899279fa92a82727f5fb817cc6c056d4c2
-
Filesize
197KB
MD515bcae517e5be46a385c5c79994c6e6e
SHA18d5a3cfa91d82f4f2c71ac7a277d4bb818959560
SHA2562489d37b356fda9b26a6fe9320e3ef0bec0e657da55fdb2c11d98b3c3e739ec3
SHA5128abaf8afa0030a44e5568fd0539a558975b1f7d7dbc1309085e20bcb2729e92949892c2d9762d75d013a2869e45f92d5d23e8ddfb7ee00bdb16a24f61e152e53
-
Filesize
82KB
MD50fd71791362ddb0acbb55564791b0def
SHA16548e313fa4be72bb0a2f755d814431a543d6326
SHA2562f117d27d9796297f966579f67d96ef6f3bdd47c05da295691883c67b279cc99
SHA5128b8a47c7ee6abc3a0bf4fc7705cc4d19065983a22cd04cc2aab3ae421c975e9fc6a5b6a25050d6ad0f4e0af811473ed50ac45c1105a676a3891e38596eca925a
-
Filesize
20KB
MD5a4089e292d473cc4bee6499633f75ac1
SHA1e3ba401db3ad5df31eb2df48d539f0ace8bbafe8
SHA256ac95862f70201a84124100958d2dced7d02100b2faef8a3e79fd739209552863
SHA51239381d7e9bf788b7ebe0e6a8311e517abc2b8253d0d51ef6d62b8c213ff87126e00d75bcae06898f36cfa33763bd4aae0839bfb1ac6f69de39cf58ccea33aebf
-
Filesize
23KB
MD56461a28160d060b3dce284093e26101f
SHA107956df958f0eeed83a6972b5759aac3278d2126
SHA2563acd2810f366e2e80ef45d22443da09fea685ada794b42aeea680443b28ddda6
SHA512916572549dfe51169747ae0cb95b6facc01aef191d2a0fab98ecdeef43074541b3cba4a3b7639dcd03c3be310184436cd60bda4db03b53cdf6cf61b577e53b5a