2489d37b356fda9b26a6fe9320e3ef0bec0e657da55fdb2c11d98b3c3e739ec3

Analysis

max time kernel
149s
max time network
138s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
Size

197KB
MD5

15bcae517e5be46a385c5c79994c6e6e
SHA1

8d5a3cfa91d82f4f2c71ac7a277d4bb818959560
SHA256

2489d37b356fda9b26a6fe9320e3ef0bec0e657da55fdb2c11d98b3c3e739ec3
SHA512

8abaf8afa0030a44e5568fd0539a558975b1f7d7dbc1309085e20bcb2729e92949892c2d9762d75d013a2869e45f92d5d23e8ddfb7ee00bdb16a24f61e152e53
SSDEEP

6144:8Gjx6PxGvpPkdRpRc6at6oHW9k1UJADkau:8HcvpPkdRpRcNtvzDu

Score

8^/10

evasion persistence trojan upx

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	SMSS.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	LSASS.EXE

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c000000015605-76.dat	acprotect

Executes dropped EXE 11 IoCs

pid	Process
2576	SMSS.EXE
2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
2188	SMSS.EXE
1076	LSASS.EXE
1644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe
1640	LSASS.EXE
2348	SMSS.EXE
2960	SMSS.EXE
884	SMSS.EXE
940	SMSS.EXE
2516	SMSS.EXE

Loads dropped DLL 25 IoCs

pid	Process
2524	cmd.exe
2524	cmd.exe
3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
2176	cmd.exe
2176	cmd.exe
2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
1076	LSASS.EXE
1756	regsvr32.exe
1104	cmd.exe
1104	cmd.exe
1016	cmd.exe
1016	cmd.exe
608	cmd.exe
608	cmd.exe
1076	LSASS.EXE
1076	LSASS.EXE
940	SMSS.EXE
1276	cmd.exe
1276	cmd.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3040-0-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/files/0x000a000000015018-12.dat	upx
behavioral1/memory/3040-14-0x0000000002F30000-0x0000000002F5B000-memory.dmp	upx
behavioral1/memory/3040-17-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2644-19-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/files/0x0008000000015616-31.dat	upx
behavioral1/memory/1076-40-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2644-52-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1640-54-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1640-67-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/files/0x000c000000015605-76.dat	upx
behavioral1/memory/1076-80-0x0000000010000000-0x0000000010012000-memory.dmp	upx
behavioral1/memory/940-103-0x0000000010000000-0x0000000010012000-memory.dmp	upx
behavioral1/memory/1076-108-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1076-112-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1076-113-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1076-117-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1076-121-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1076-125-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1076-129-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1076-133-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1076-137-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1076-141-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1076-145-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1076-149-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1076-154-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1076-176-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1076-180-0x0000000000400000-0x000000000042B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	LSASS.EXE

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LSASS.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LSASS.EXE

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
File opened (read-only)	\??\E:	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
File opened (read-only)	\??\E:	LSASS.EXE
File opened (read-only)	\??\E:	LSASS.EXE

Drops autorun.inf file 1 TTPs 13 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	D:\AUTORUN.INF	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
File opened for modification	\??\E:\AUTORUN.INF	LSASS.EXE
File opened for modification	D:\AUTORUN.INF	LSASS.EXE
File opened for modification	\??\E:\AUTORUN.INF	LSASS.EXE
File opened for modification	C:\AUTORUN.INF	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
File opened for modification	D:\AUTORUN.INF	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	LSASS.EXE
File opened for modification	\??\E:\AUTORUN.INF	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
File opened for modification	D:\AUTORUN.INF	LSASS.EXE
File opened for modification	C:\AUTORUN.INF	LSASS.EXE
File created	C:\AUTORUN.INF	LSASS.EXE
File opened for modification	\??\E:\AUTORUN.INF	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\com\bak	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\com\SMSS.EXE	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
File created	C:\Windows\SysWOW64\com\SMSS.EXE	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
File opened for modification	C:\Windows\SysWOW64\com\LSASS.EXE	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
File created	C:\Windows\SysWOW64\com\LSASS.EXE	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
File created	C:\Windows\SysWOW64\00302.log	LSASS.EXE
File created	C:\Windows\SysWOW64\00302.log	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\com\netcfg.dll	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\com\SMSS.EXE	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\com\SMSS.EXE	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\com\LSASS.EXE	LSASS.EXE
File created	C:\Windows\SysWOW64\com\netcfg.000	LSASS.EXE
File created	C:\Windows\SysWOW64\dnsq.dll	LSASS.EXE
File created	C:\Windows\SysWOW64\com\netcfg.dll	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\dnsq.dll	LSASS.EXE
File created	C:\Windows\SysWOW64\00302.log	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\com\SMSS.EXE	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\00302.log	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
File opened for modification	C:\Windows\SysWOW64\com\SMSS.EXE	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\com\netcfg.000	LSASS.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	LSASS.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1"	regsvr32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
812	ping.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
1076	LSASS.EXE
1640	LSASS.EXE

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
Token: SeDebugPrivilege	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
Token: SeDebugPrivilege	1076	LSASS.EXE
Token: SeDebugPrivilege	1640	LSASS.EXE
Token: 33	1496	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1496	AUDIODG.EXE
Token: 33	1496	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1496	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
1076	LSASS.EXE
1076	LSASS.EXE
1076	LSASS.EXE
1076	LSASS.EXE
1640	LSASS.EXE
1640	LSASS.EXE
1640	LSASS.EXE
1640	LSASS.EXE
1076	LSASS.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2128	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe	28
PID 3040 wrote to memory of 2128	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe	28
PID 3040 wrote to memory of 2128	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe	28
PID 3040 wrote to memory of 2128	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe	28
PID 3040 wrote to memory of 1196	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe	30
PID 3040 wrote to memory of 1196	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe	30
PID 3040 wrote to memory of 1196	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe	30
PID 3040 wrote to memory of 1196	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe	30
PID 3040 wrote to memory of 2900	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe	32
PID 3040 wrote to memory of 2900	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe	32
PID 3040 wrote to memory of 2900	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe	32
PID 3040 wrote to memory of 2900	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe	32
PID 3040 wrote to memory of 2524	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe	34
PID 3040 wrote to memory of 2524	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe	34
PID 3040 wrote to memory of 2524	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe	34
PID 3040 wrote to memory of 2524	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe	34
PID 2524 wrote to memory of 2576	2524	cmd.exe	36
PID 2524 wrote to memory of 2576	2524	cmd.exe	36
PID 2524 wrote to memory of 2576	2524	cmd.exe	36
PID 2524 wrote to memory of 2576	2524	cmd.exe	36
PID 3040 wrote to memory of 2644	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe	37
PID 3040 wrote to memory of 2644	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe	37
PID 3040 wrote to memory of 2644	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe	37
PID 3040 wrote to memory of 2644	3040	15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe	37
PID 2644 wrote to memory of 2152	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	38
PID 2644 wrote to memory of 2152	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	38
PID 2644 wrote to memory of 2152	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	38
PID 2644 wrote to memory of 2152	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	38
PID 2644 wrote to memory of 2548	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	40
PID 2644 wrote to memory of 2548	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	40
PID 2644 wrote to memory of 2548	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	40
PID 2644 wrote to memory of 2548	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	40
PID 2644 wrote to memory of 2136	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	41
PID 2644 wrote to memory of 2136	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	41
PID 2644 wrote to memory of 2136	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	41
PID 2644 wrote to memory of 2136	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	41
PID 2644 wrote to memory of 2460	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	43
PID 2644 wrote to memory of 2460	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	43
PID 2644 wrote to memory of 2460	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	43
PID 2644 wrote to memory of 2460	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	43
PID 2644 wrote to memory of 2596	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	44
PID 2644 wrote to memory of 2596	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	44
PID 2644 wrote to memory of 2596	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	44
PID 2644 wrote to memory of 2596	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	44
PID 2644 wrote to memory of 2324	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	48
PID 2644 wrote to memory of 2324	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	48
PID 2644 wrote to memory of 2324	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	48
PID 2644 wrote to memory of 2324	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	48
PID 2644 wrote to memory of 2852	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	50
PID 2644 wrote to memory of 2852	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	50
PID 2644 wrote to memory of 2852	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	50
PID 2644 wrote to memory of 2852	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	50
PID 2644 wrote to memory of 2176	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	52
PID 2644 wrote to memory of 2176	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	52
PID 2644 wrote to memory of 2176	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	52
PID 2644 wrote to memory of 2176	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	52
PID 2176 wrote to memory of 2188	2176	cmd.exe	54
PID 2176 wrote to memory of 2188	2176	cmd.exe	54
PID 2176 wrote to memory of 2188	2176	cmd.exe	54
PID 2176 wrote to memory of 2188	2176	cmd.exe	54
PID 2644 wrote to memory of 1076	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	55
PID 2644 wrote to memory of 1076	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	55
PID 2644 wrote to memory of 1076	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	55
PID 2644 wrote to memory of 1076	2644	15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log	55

C:\Users\Admin\AppData\Local\Temp\15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
  2⤵
  PID:2128
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
  2⤵
  PID:1196
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c echo ok
  2⤵
  PID:2900
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Windows\system32\com\SMSS.EXE c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe^|c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\com\SMSS.EXE
    C:\Windows\system32\com\SMSS.EXE c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe|c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
    3⤵
    - Executes dropped EXE
    PID:2576
- \??\c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
  "c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Admin:F
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Everyone:F
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c echo ok
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q "C:\Windows\system32\com\SMSS.EXE"
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c del /F /Q "C:\Windows\system32\com\LSASS.EXE"
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c "C:\Windows\system32\com\SMSS.EXE c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.~^|c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Windows\system32\com\SMSS.EXE c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.~|c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe
      4⤵
      Executes dropped EXE
      PID:2188
- - C:\Windows\SysWOW64\com\LSASS.EXE
    "C:\Windows\system32\com\LSASS.EXE"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1076
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
      4⤵
      PID:2420
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\LSASS.EXE /e /t /g Admin:F
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\LSASS.EXE /e /t /g Everyone:F
      4⤵
      PID:2836
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Admin:F
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Everyone:F
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c echo ok
      4⤵
      PID:2132
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\com\SMSS.EXE"
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\com\LSASS.EXE"
      4⤵
      PID:1776
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|C:\pagefile.pif"
      4⤵
      Loads dropped DLL
      PID:1104
    - - C:\Windows\SysWOW64\com\SMSS.EXE
        
        C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|C:\pagefile.pif
        5⤵
        Executes dropped EXE
        
        PID:2348
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|D:\pagefile.pif"
      4⤵
      Loads dropped DLL
      PID:1016
    - - C:\Windows\SysWOW64\com\SMSS.EXE
        
        C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|D:\pagefile.pif
        5⤵
        Executes dropped EXE
        
        PID:2960
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|E:\pagefile.pif"
      4⤵
      Loads dropped DLL
      PID:608
    - - C:\Windows\SysWOW64\com\SMSS.EXE
        
        C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|E:\pagefile.pif
        5⤵
        Executes dropped EXE
        
        PID:884
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Event Triggered Execution: Image File Execution Options Injection
      Executes dropped EXE
      Loads dropped DLL
      PID:940
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"
      4⤵
      PID:1560
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
      4⤵
      PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|D:\pagefile.pif"
      4⤵
      Loads dropped DLL
      PID:1276
    - - C:\Windows\SysWOW64\com\SMSS.EXE
        
        C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|D:\pagefile.pif
        5⤵
        Executes dropped EXE
        
        PID:2516
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
      4⤵
      PID:2252
  - - C:\Windows\SysWOW64\ping.exe
      ping.exe -f -n 1 www.baidu.com
      4⤵
      Runs ping.exe
      PID:812
- - C:\Users\Admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe
    "C:\Users\Admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe"
    3⤵
    - Executes dropped EXE
    PID:1644
- - C:\Windows\SysWOW64\com\LSASS.EXE
    ^c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
    3⤵
    - Executes dropped EXE
    - Checks for any installed AV software in registry
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1640
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
      4⤵
      PID:772
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
      4⤵
      PID:332
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\LSASS.EXE /e /t /g Admin:F
      4⤵
      PID:1328
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\LSASS.EXE /e /t /g Everyone:F
      4⤵
      PID:584
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Admin:F
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Everyone:F
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c echo ok
      4⤵
      PID:352
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\com\SMSS.EXE"
      4⤵
      PID:1120

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x574
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\NetApi00.sys

Filesize
4KB

MD5
8e336906e90cb3558fb9704d0921e27a

SHA1
59ad8af4982e287954ecf0afaa2f28bc1ba578bc

SHA256
7c9b6f4a222d9b110ff7abecd2cd9ae7d4a7c8229e5c8b5a39da007127735897

SHA512
0a6a13daccd9f149ef5417d87ff0d9dee0564fe42dcb2cd61782dc5af744e218f68c04ed2705eba8ab3c2867af81ad487f58efe3d620cd30c433e0d382efed24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4H3PYALP\px[1].js

Filesize
346B

MD5
f84f931c0dd37448e03f0dabf4e4ca9f

SHA1
9c2c50edcf576453ccc07bf65668bd23c76e8663

SHA256
5c1d5fd46a88611c31ecbb8ffc1142a7e74ec7fb7d72bd3891131c880ef3f584

SHA512
afc3089d932fb030e932bf6414ac05681771051dd51d164f09635ca09cbd8525a52879524b6aa24e972e7766ddf529484cc1ec416de8b61255435a89ba781f8c

Download Submit
C:\Windows\SysWOW64\com\netcfg.000

Filesize
44KB

MD5
e63dcadc948e558dce82828078bd0661

SHA1
517f75447adb13524d929251faa2fa79c93d8aad

SHA256
511448c29fca76587f0e4a38ea2370726f5977e17850a904aedb1c58eecf0169

SHA512
9a67916225fd484216746b4e9cefc3259cd154ad4fc33d2f8842ea8b141e3efbe4284ca740dde157d8df85244b3c35f54ac280a40f0d0f13144ba92667f59f9c

Download Submit
\??\c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.~

Filesize
32KB

MD5
037b1e7798960e0420003d05bb577ee6

SHA1
303a90020bf3beaf9acd0ea86487c853636a99a3

SHA256
dee53d6d332dadd40c0ce34a425a6c0781f611765dcd4299d869f2b1ee80ae66

SHA512
eb61bab7639d12895f60815d6d60e2cb307c4f6583c8f3f0268105471b8b9c18b17ef9e10771035bfa1a31a78e1ceb899279fa92a82727f5fb817cc6c056d4c2

Download Submit
\Users\Admin\AppData\Local\Temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log

Filesize
197KB

MD5
15bcae517e5be46a385c5c79994c6e6e

SHA1
8d5a3cfa91d82f4f2c71ac7a277d4bb818959560

SHA256
2489d37b356fda9b26a6fe9320e3ef0bec0e657da55fdb2c11d98b3c3e739ec3

SHA512
8abaf8afa0030a44e5568fd0539a558975b1f7d7dbc1309085e20bcb2729e92949892c2d9762d75d013a2869e45f92d5d23e8ddfb7ee00bdb16a24f61e152e53

Download Submit
\Windows\SysWOW64\com\LSASS.EXE

Filesize
82KB

MD5
0fd71791362ddb0acbb55564791b0def

SHA1
6548e313fa4be72bb0a2f755d814431a543d6326

SHA256
2f117d27d9796297f966579f67d96ef6f3bdd47c05da295691883c67b279cc99

SHA512
8b8a47c7ee6abc3a0bf4fc7705cc4d19065983a22cd04cc2aab3ae421c975e9fc6a5b6a25050d6ad0f4e0af811473ed50ac45c1105a676a3891e38596eca925a

Download Submit
\Windows\SysWOW64\com\SMSS.EXE

Filesize
20KB

MD5
a4089e292d473cc4bee6499633f75ac1

SHA1
e3ba401db3ad5df31eb2df48d539f0ace8bbafe8

SHA256
ac95862f70201a84124100958d2dced7d02100b2faef8a3e79fd739209552863

SHA512
39381d7e9bf788b7ebe0e6a8311e517abc2b8253d0d51ef6d62b8c213ff87126e00d75bcae06898f36cfa33763bd4aae0839bfb1ac6f69de39cf58ccea33aebf

Download Submit
\Windows\SysWOW64\dnsq.dll

Filesize
23KB

MD5
6461a28160d060b3dce284093e26101f

SHA1
07956df958f0eeed83a6972b5759aac3278d2126

SHA256
3acd2810f366e2e80ef45d22443da09fea685ada794b42aeea680443b28ddda6

SHA512
916572549dfe51169747ae0cb95b6facc01aef191d2a0fab98ecdeef43074541b3cba4a3b7639dcd03c3be310184436cd60bda4db03b53cdf6cf61b577e53b5a

Download Submit
memory/884-97-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/940-110-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/940-103-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1076-121-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1076-133-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1076-180-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1076-176-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1076-154-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1076-149-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1076-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1076-145-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1076-80-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1076-141-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1076-137-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1076-129-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1076-125-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1076-117-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1076-108-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1076-113-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1076-112-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1640-54-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1640-67-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2188-30-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2348-88-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2516-107-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2576-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2644-39-0x0000000002F20000-0x0000000002F4B000-memory.dmp

Filesize
172KB

Download
memory/2644-52-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2644-19-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2644-46-0x0000000002F20000-0x0000000002F4B000-memory.dmp

Filesize
172KB

Download
memory/2960-93-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3040-14-0x0000000002F30000-0x0000000002F5B000-memory.dmp

Filesize
172KB

Download
memory/3040-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3040-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download