Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 12:41
Behavioral task
behavioral1
Sample
160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe
-
Size
257KB
-
MD5
160c1f5dd0587c3b49fb893abacf6882
-
SHA1
1ccb65f16de6a144beb4abc70b4dd6f6b924fb4f
-
SHA256
a08d9bbcf25cda6dbd708cb5381df841f494f822e9ae26224212b70c0123f759
-
SHA512
586cb880d6365925984f78e90510846976befc81f3bd73c5bf1d9894b197b35846216a0540616296e2987977d09bbcc107d571005430e89fcc1eb7983b674574
-
SSDEEP
6144:RD7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZDdZ:Rl8E4w5huat7UovONzbXw
Malware Config
Extracted
darkcomet
SummerfagFINAL2
192.162.102.160:2894
mgithens.servebeer.com:2894
fuckingwhiteknight.sytes.net:2894
DC_MUTEX-6XLBW52
-
InstallPath
MSSVC\mssvc32.exe
-
gencode
aW1mC3x94Zf8
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Ntwrksvc32
Signatures
-
Modifies WinLogon for persistence 2 TTPs 24 IoCs
Processes:
mssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exe160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe" 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe -
Executes dropped EXE 23 IoCs
Processes:
mssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exepid process 2480 mssvc32.exe 2532 mssvc32.exe 768 mssvc32.exe 2240 mssvc32.exe 2132 mssvc32.exe 2012 mssvc32.exe 1944 mssvc32.exe 1672 mssvc32.exe 2928 mssvc32.exe 816 mssvc32.exe 2156 mssvc32.exe 1424 mssvc32.exe 2312 mssvc32.exe 2544 mssvc32.exe 2364 mssvc32.exe 2352 mssvc32.exe 1436 mssvc32.exe 1448 mssvc32.exe 1512 mssvc32.exe 1980 mssvc32.exe 936 mssvc32.exe 1272 mssvc32.exe 996 mssvc32.exe -
Loads dropped DLL 46 IoCs
Processes:
160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exepid process 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe 2480 mssvc32.exe 2480 mssvc32.exe 2532 mssvc32.exe 2532 mssvc32.exe 768 mssvc32.exe 768 mssvc32.exe 2240 mssvc32.exe 2240 mssvc32.exe 2132 mssvc32.exe 2132 mssvc32.exe 2012 mssvc32.exe 2012 mssvc32.exe 1944 mssvc32.exe 1944 mssvc32.exe 1672 mssvc32.exe 1672 mssvc32.exe 2928 mssvc32.exe 2928 mssvc32.exe 816 mssvc32.exe 816 mssvc32.exe 2156 mssvc32.exe 2156 mssvc32.exe 1424 mssvc32.exe 1424 mssvc32.exe 2312 mssvc32.exe 2312 mssvc32.exe 2544 mssvc32.exe 2544 mssvc32.exe 2364 mssvc32.exe 2364 mssvc32.exe 2352 mssvc32.exe 2352 mssvc32.exe 1436 mssvc32.exe 1436 mssvc32.exe 1448 mssvc32.exe 1448 mssvc32.exe 1512 mssvc32.exe 1512 mssvc32.exe 1980 mssvc32.exe 1980 mssvc32.exe 936 mssvc32.exe 936 mssvc32.exe 1272 mssvc32.exe 1272 mssvc32.exe -
Processes:
resource yara_rule behavioral1/memory/1876-0-0x0000000000400000-0x00000000004BD000-memory.dmp upx \Windows\SysWOW64\MSSVC\mssvc32.exe upx behavioral1/memory/2480-15-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/1876-14-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/2480-27-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/2532-29-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/768-44-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/2532-43-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/2240-58-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/768-57-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/2240-70-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/2132-84-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/2012-85-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/2012-97-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/1944-110-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/1672-112-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/2928-128-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/1672-127-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/2928-141-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/816-155-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/2156-156-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/2156-169-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/1424-170-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/1424-184-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/2312-185-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/2312-198-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/2544-207-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/2364-208-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/2364-217-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/2352-226-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/1436-235-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/1448-236-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/1512-246-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/1448-245-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/1512-255-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/936-265-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/1980-264-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/1272-275-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/936-274-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/1272-284-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral1/memory/996-285-0x0000000000400000-0x00000000004BD000-memory.dmp upx -
Adds Run key to start application 2 TTPs 24 IoCs
Processes:
mssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exe160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\mssvc32.exe" 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe -
Drops file in System32 directory 62 IoCs
Processes:
mssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exe160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exedescription ioc process File created C:\Windows\SysWOW64\MSSVC\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\mssvc32.exe 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\ 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\mssvc32.exe 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exemssvc32.exemssvc32.exedescription pid process Token: SeIncreaseQuotaPrivilege 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeSecurityPrivilege 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeSystemtimePrivilege 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeBackupPrivilege 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeRestorePrivilege 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeShutdownPrivilege 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeDebugPrivilege 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeUndockPrivilege 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeManageVolumePrivilege 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeImpersonatePrivilege 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: 33 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: 34 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: 35 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2480 mssvc32.exe Token: SeSecurityPrivilege 2480 mssvc32.exe Token: SeTakeOwnershipPrivilege 2480 mssvc32.exe Token: SeLoadDriverPrivilege 2480 mssvc32.exe Token: SeSystemProfilePrivilege 2480 mssvc32.exe Token: SeSystemtimePrivilege 2480 mssvc32.exe Token: SeProfSingleProcessPrivilege 2480 mssvc32.exe Token: SeIncBasePriorityPrivilege 2480 mssvc32.exe Token: SeCreatePagefilePrivilege 2480 mssvc32.exe Token: SeBackupPrivilege 2480 mssvc32.exe Token: SeRestorePrivilege 2480 mssvc32.exe Token: SeShutdownPrivilege 2480 mssvc32.exe Token: SeDebugPrivilege 2480 mssvc32.exe Token: SeSystemEnvironmentPrivilege 2480 mssvc32.exe Token: SeChangeNotifyPrivilege 2480 mssvc32.exe Token: SeRemoteShutdownPrivilege 2480 mssvc32.exe Token: SeUndockPrivilege 2480 mssvc32.exe Token: SeManageVolumePrivilege 2480 mssvc32.exe Token: SeImpersonatePrivilege 2480 mssvc32.exe Token: SeCreateGlobalPrivilege 2480 mssvc32.exe Token: 33 2480 mssvc32.exe Token: 34 2480 mssvc32.exe Token: 35 2480 mssvc32.exe Token: SeIncreaseQuotaPrivilege 2532 mssvc32.exe Token: SeSecurityPrivilege 2532 mssvc32.exe Token: SeTakeOwnershipPrivilege 2532 mssvc32.exe Token: SeLoadDriverPrivilege 2532 mssvc32.exe Token: SeSystemProfilePrivilege 2532 mssvc32.exe Token: SeSystemtimePrivilege 2532 mssvc32.exe Token: SeProfSingleProcessPrivilege 2532 mssvc32.exe Token: SeIncBasePriorityPrivilege 2532 mssvc32.exe Token: SeCreatePagefilePrivilege 2532 mssvc32.exe Token: SeBackupPrivilege 2532 mssvc32.exe Token: SeRestorePrivilege 2532 mssvc32.exe Token: SeShutdownPrivilege 2532 mssvc32.exe Token: SeDebugPrivilege 2532 mssvc32.exe Token: SeSystemEnvironmentPrivilege 2532 mssvc32.exe Token: SeChangeNotifyPrivilege 2532 mssvc32.exe Token: SeRemoteShutdownPrivilege 2532 mssvc32.exe Token: SeUndockPrivilege 2532 mssvc32.exe Token: SeManageVolumePrivilege 2532 mssvc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exedescription pid process target process PID 1876 wrote to memory of 2480 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe mssvc32.exe PID 1876 wrote to memory of 2480 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe mssvc32.exe PID 1876 wrote to memory of 2480 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe mssvc32.exe PID 1876 wrote to memory of 2480 1876 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe mssvc32.exe PID 2480 wrote to memory of 2532 2480 mssvc32.exe mssvc32.exe PID 2480 wrote to memory of 2532 2480 mssvc32.exe mssvc32.exe PID 2480 wrote to memory of 2532 2480 mssvc32.exe mssvc32.exe PID 2480 wrote to memory of 2532 2480 mssvc32.exe mssvc32.exe PID 2532 wrote to memory of 768 2532 mssvc32.exe mssvc32.exe PID 2532 wrote to memory of 768 2532 mssvc32.exe mssvc32.exe PID 2532 wrote to memory of 768 2532 mssvc32.exe mssvc32.exe PID 2532 wrote to memory of 768 2532 mssvc32.exe mssvc32.exe PID 768 wrote to memory of 2240 768 mssvc32.exe mssvc32.exe PID 768 wrote to memory of 2240 768 mssvc32.exe mssvc32.exe PID 768 wrote to memory of 2240 768 mssvc32.exe mssvc32.exe PID 768 wrote to memory of 2240 768 mssvc32.exe mssvc32.exe PID 2240 wrote to memory of 2132 2240 mssvc32.exe mssvc32.exe PID 2240 wrote to memory of 2132 2240 mssvc32.exe mssvc32.exe PID 2240 wrote to memory of 2132 2240 mssvc32.exe mssvc32.exe PID 2240 wrote to memory of 2132 2240 mssvc32.exe mssvc32.exe PID 2132 wrote to memory of 2012 2132 mssvc32.exe mssvc32.exe PID 2132 wrote to memory of 2012 2132 mssvc32.exe mssvc32.exe PID 2132 wrote to memory of 2012 2132 mssvc32.exe mssvc32.exe PID 2132 wrote to memory of 2012 2132 mssvc32.exe mssvc32.exe PID 2012 wrote to memory of 1944 2012 mssvc32.exe mssvc32.exe PID 2012 wrote to memory of 1944 2012 mssvc32.exe mssvc32.exe PID 2012 wrote to memory of 1944 2012 mssvc32.exe mssvc32.exe PID 2012 wrote to memory of 1944 2012 mssvc32.exe mssvc32.exe PID 1944 wrote to memory of 1672 1944 mssvc32.exe mssvc32.exe PID 1944 wrote to memory of 1672 1944 mssvc32.exe mssvc32.exe PID 1944 wrote to memory of 1672 1944 mssvc32.exe mssvc32.exe PID 1944 wrote to memory of 1672 1944 mssvc32.exe mssvc32.exe PID 1672 wrote to memory of 2928 1672 mssvc32.exe mssvc32.exe PID 1672 wrote to memory of 2928 1672 mssvc32.exe mssvc32.exe PID 1672 wrote to memory of 2928 1672 mssvc32.exe mssvc32.exe PID 1672 wrote to memory of 2928 1672 mssvc32.exe mssvc32.exe PID 2928 wrote to memory of 816 2928 mssvc32.exe mssvc32.exe PID 2928 wrote to memory of 816 2928 mssvc32.exe mssvc32.exe PID 2928 wrote to memory of 816 2928 mssvc32.exe mssvc32.exe PID 2928 wrote to memory of 816 2928 mssvc32.exe mssvc32.exe PID 816 wrote to memory of 2156 816 mssvc32.exe mssvc32.exe PID 816 wrote to memory of 2156 816 mssvc32.exe mssvc32.exe PID 816 wrote to memory of 2156 816 mssvc32.exe mssvc32.exe PID 816 wrote to memory of 2156 816 mssvc32.exe mssvc32.exe PID 2156 wrote to memory of 1424 2156 mssvc32.exe mssvc32.exe PID 2156 wrote to memory of 1424 2156 mssvc32.exe mssvc32.exe PID 2156 wrote to memory of 1424 2156 mssvc32.exe mssvc32.exe PID 2156 wrote to memory of 1424 2156 mssvc32.exe mssvc32.exe PID 1424 wrote to memory of 2312 1424 mssvc32.exe mssvc32.exe PID 1424 wrote to memory of 2312 1424 mssvc32.exe mssvc32.exe PID 1424 wrote to memory of 2312 1424 mssvc32.exe mssvc32.exe PID 1424 wrote to memory of 2312 1424 mssvc32.exe mssvc32.exe PID 2312 wrote to memory of 2544 2312 mssvc32.exe mssvc32.exe PID 2312 wrote to memory of 2544 2312 mssvc32.exe mssvc32.exe PID 2312 wrote to memory of 2544 2312 mssvc32.exe mssvc32.exe PID 2312 wrote to memory of 2544 2312 mssvc32.exe mssvc32.exe PID 2544 wrote to memory of 2364 2544 mssvc32.exe mssvc32.exe PID 2544 wrote to memory of 2364 2544 mssvc32.exe mssvc32.exe PID 2544 wrote to memory of 2364 2544 mssvc32.exe mssvc32.exe PID 2544 wrote to memory of 2364 2544 mssvc32.exe mssvc32.exe PID 2364 wrote to memory of 2352 2364 mssvc32.exe mssvc32.exe PID 2364 wrote to memory of 2352 2364 mssvc32.exe mssvc32.exe PID 2364 wrote to memory of 2352 2364 mssvc32.exe mssvc32.exe PID 2364 wrote to memory of 2352 2364 mssvc32.exe mssvc32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\MSSVC\mssvc32.exe"C:\Windows\system32\MSSVC\mssvc32.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"13⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"15⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"17⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"19⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"21⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"23⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
257KB
MD5160c1f5dd0587c3b49fb893abacf6882
SHA11ccb65f16de6a144beb4abc70b4dd6f6b924fb4f
SHA256a08d9bbcf25cda6dbd708cb5381df841f494f822e9ae26224212b70c0123f759
SHA512586cb880d6365925984f78e90510846976befc81f3bd73c5bf1d9894b197b35846216a0540616296e2987977d09bbcc107d571005430e89fcc1eb7983b674574