Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 12:41
Behavioral task
behavioral1
Sample
160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe
-
Size
257KB
-
MD5
160c1f5dd0587c3b49fb893abacf6882
-
SHA1
1ccb65f16de6a144beb4abc70b4dd6f6b924fb4f
-
SHA256
a08d9bbcf25cda6dbd708cb5381df841f494f822e9ae26224212b70c0123f759
-
SHA512
586cb880d6365925984f78e90510846976befc81f3bd73c5bf1d9894b197b35846216a0540616296e2987977d09bbcc107d571005430e89fcc1eb7983b674574
-
SSDEEP
6144:RD7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZDdZ:Rl8E4w5huat7UovONzbXw
Malware Config
Extracted
darkcomet
SummerfagFINAL2
192.162.102.160:2894
mgithens.servebeer.com:2894
fuckingwhiteknight.sytes.net:2894
DC_MUTEX-6XLBW52
-
InstallPath
MSSVC\mssvc32.exe
-
gencode
aW1mC3x94Zf8
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Ntwrksvc32
Signatures
-
Modifies WinLogon for persistence 2 TTPs 24 IoCs
Processes:
mssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exe160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe" 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe -
Checks computer location settings 2 TTPs 24 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exe160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation mssvc32.exe -
Executes dropped EXE 23 IoCs
Processes:
mssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exepid process 4388 mssvc32.exe 2884 mssvc32.exe 5064 mssvc32.exe 4920 mssvc32.exe 3048 mssvc32.exe 4552 mssvc32.exe 4464 mssvc32.exe 4684 mssvc32.exe 4968 mssvc32.exe 1324 mssvc32.exe 1436 mssvc32.exe 1940 mssvc32.exe 4684 mssvc32.exe 2988 mssvc32.exe 1388 mssvc32.exe 1576 mssvc32.exe 4964 mssvc32.exe 5080 mssvc32.exe 2476 mssvc32.exe 2136 mssvc32.exe 4508 mssvc32.exe 2992 mssvc32.exe 4168 mssvc32.exe -
Processes:
resource yara_rule behavioral2/memory/2676-0-0x0000000000400000-0x00000000004BD000-memory.dmp upx C:\Windows\SysWOW64\MSSVC\mssvc32.exe upx behavioral2/memory/2676-63-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/4388-64-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/4388-127-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/2884-189-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/5064-250-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/4920-312-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/3048-313-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/3048-375-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/4552-376-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/4552-438-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/4464-439-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/4464-501-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/4684-502-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/4684-564-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/4968-626-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/1324-627-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/1324-689-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/1436-690-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/1436-752-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/1940-753-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/4684-814-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/1940-816-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/4684-878-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/1388-941-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/2988-940-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/1388-1003-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/1576-1065-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/4964-1127-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/5080-1128-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/5080-1190-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/2476-1191-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/2476-1253-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/2136-1315-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/4508-1377-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/2992-1378-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/2992-1439-0x0000000000400000-0x00000000004BD000-memory.dmp upx -
Adds Run key to start application 2 TTPs 24 IoCs
Processes:
mssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exe160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exemssvc32.exemssvc32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\mssvc32.exe" 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" mssvc32.exe -
Drops file in System32 directory 63 IoCs
Processes:
mssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exe160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exedescription ioc process File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\mssvc32.exe 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\ 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe File created C:\Windows\SysWOW64\MSSVC\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\mssvc32.exe 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File created C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe File opened for modification C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe mssvc32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 24 IoCs
Processes:
mssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exe160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exemssvc32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mssvc32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exemssvc32.exemssvc32.exedescription pid process Token: SeIncreaseQuotaPrivilege 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeSecurityPrivilege 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeSystemtimePrivilege 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeBackupPrivilege 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeRestorePrivilege 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeShutdownPrivilege 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeDebugPrivilege 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeUndockPrivilege 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeManageVolumePrivilege 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeImpersonatePrivilege 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: 33 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: 34 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: 35 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: 36 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4388 mssvc32.exe Token: SeSecurityPrivilege 4388 mssvc32.exe Token: SeTakeOwnershipPrivilege 4388 mssvc32.exe Token: SeLoadDriverPrivilege 4388 mssvc32.exe Token: SeSystemProfilePrivilege 4388 mssvc32.exe Token: SeSystemtimePrivilege 4388 mssvc32.exe Token: SeProfSingleProcessPrivilege 4388 mssvc32.exe Token: SeIncBasePriorityPrivilege 4388 mssvc32.exe Token: SeCreatePagefilePrivilege 4388 mssvc32.exe Token: SeBackupPrivilege 4388 mssvc32.exe Token: SeRestorePrivilege 4388 mssvc32.exe Token: SeShutdownPrivilege 4388 mssvc32.exe Token: SeDebugPrivilege 4388 mssvc32.exe Token: SeSystemEnvironmentPrivilege 4388 mssvc32.exe Token: SeChangeNotifyPrivilege 4388 mssvc32.exe Token: SeRemoteShutdownPrivilege 4388 mssvc32.exe Token: SeUndockPrivilege 4388 mssvc32.exe Token: SeManageVolumePrivilege 4388 mssvc32.exe Token: SeImpersonatePrivilege 4388 mssvc32.exe Token: SeCreateGlobalPrivilege 4388 mssvc32.exe Token: 33 4388 mssvc32.exe Token: 34 4388 mssvc32.exe Token: 35 4388 mssvc32.exe Token: 36 4388 mssvc32.exe Token: SeIncreaseQuotaPrivilege 2884 mssvc32.exe Token: SeSecurityPrivilege 2884 mssvc32.exe Token: SeTakeOwnershipPrivilege 2884 mssvc32.exe Token: SeLoadDriverPrivilege 2884 mssvc32.exe Token: SeSystemProfilePrivilege 2884 mssvc32.exe Token: SeSystemtimePrivilege 2884 mssvc32.exe Token: SeProfSingleProcessPrivilege 2884 mssvc32.exe Token: SeIncBasePriorityPrivilege 2884 mssvc32.exe Token: SeCreatePagefilePrivilege 2884 mssvc32.exe Token: SeBackupPrivilege 2884 mssvc32.exe Token: SeRestorePrivilege 2884 mssvc32.exe Token: SeShutdownPrivilege 2884 mssvc32.exe Token: SeDebugPrivilege 2884 mssvc32.exe Token: SeSystemEnvironmentPrivilege 2884 mssvc32.exe Token: SeChangeNotifyPrivilege 2884 mssvc32.exe Token: SeRemoteShutdownPrivilege 2884 mssvc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exemssvc32.exedescription pid process target process PID 2676 wrote to memory of 4388 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe mssvc32.exe PID 2676 wrote to memory of 4388 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe mssvc32.exe PID 2676 wrote to memory of 4388 2676 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe mssvc32.exe PID 4388 wrote to memory of 2884 4388 mssvc32.exe mssvc32.exe PID 4388 wrote to memory of 2884 4388 mssvc32.exe mssvc32.exe PID 4388 wrote to memory of 2884 4388 mssvc32.exe mssvc32.exe PID 2884 wrote to memory of 5064 2884 mssvc32.exe mssvc32.exe PID 2884 wrote to memory of 5064 2884 mssvc32.exe mssvc32.exe PID 2884 wrote to memory of 5064 2884 mssvc32.exe mssvc32.exe PID 5064 wrote to memory of 4920 5064 mssvc32.exe mssvc32.exe PID 5064 wrote to memory of 4920 5064 mssvc32.exe mssvc32.exe PID 5064 wrote to memory of 4920 5064 mssvc32.exe mssvc32.exe PID 4920 wrote to memory of 3048 4920 mssvc32.exe mssvc32.exe PID 4920 wrote to memory of 3048 4920 mssvc32.exe mssvc32.exe PID 4920 wrote to memory of 3048 4920 mssvc32.exe mssvc32.exe PID 3048 wrote to memory of 4552 3048 mssvc32.exe mssvc32.exe PID 3048 wrote to memory of 4552 3048 mssvc32.exe mssvc32.exe PID 3048 wrote to memory of 4552 3048 mssvc32.exe mssvc32.exe PID 4552 wrote to memory of 4464 4552 mssvc32.exe mssvc32.exe PID 4552 wrote to memory of 4464 4552 mssvc32.exe mssvc32.exe PID 4552 wrote to memory of 4464 4552 mssvc32.exe mssvc32.exe PID 4464 wrote to memory of 4684 4464 mssvc32.exe mssvc32.exe PID 4464 wrote to memory of 4684 4464 mssvc32.exe mssvc32.exe PID 4464 wrote to memory of 4684 4464 mssvc32.exe mssvc32.exe PID 4684 wrote to memory of 4968 4684 mssvc32.exe mssvc32.exe PID 4684 wrote to memory of 4968 4684 mssvc32.exe mssvc32.exe PID 4684 wrote to memory of 4968 4684 mssvc32.exe mssvc32.exe PID 4968 wrote to memory of 1324 4968 mssvc32.exe mssvc32.exe PID 4968 wrote to memory of 1324 4968 mssvc32.exe mssvc32.exe PID 4968 wrote to memory of 1324 4968 mssvc32.exe mssvc32.exe PID 1324 wrote to memory of 1436 1324 mssvc32.exe mssvc32.exe PID 1324 wrote to memory of 1436 1324 mssvc32.exe mssvc32.exe PID 1324 wrote to memory of 1436 1324 mssvc32.exe mssvc32.exe PID 1436 wrote to memory of 1940 1436 mssvc32.exe mssvc32.exe PID 1436 wrote to memory of 1940 1436 mssvc32.exe mssvc32.exe PID 1436 wrote to memory of 1940 1436 mssvc32.exe mssvc32.exe PID 1940 wrote to memory of 4684 1940 mssvc32.exe mssvc32.exe PID 1940 wrote to memory of 4684 1940 mssvc32.exe mssvc32.exe PID 1940 wrote to memory of 4684 1940 mssvc32.exe mssvc32.exe PID 4684 wrote to memory of 2988 4684 mssvc32.exe mssvc32.exe PID 4684 wrote to memory of 2988 4684 mssvc32.exe mssvc32.exe PID 4684 wrote to memory of 2988 4684 mssvc32.exe mssvc32.exe PID 2988 wrote to memory of 1388 2988 mssvc32.exe mssvc32.exe PID 2988 wrote to memory of 1388 2988 mssvc32.exe mssvc32.exe PID 2988 wrote to memory of 1388 2988 mssvc32.exe mssvc32.exe PID 1388 wrote to memory of 1576 1388 mssvc32.exe mssvc32.exe PID 1388 wrote to memory of 1576 1388 mssvc32.exe mssvc32.exe PID 1388 wrote to memory of 1576 1388 mssvc32.exe mssvc32.exe PID 1576 wrote to memory of 4964 1576 mssvc32.exe mssvc32.exe PID 1576 wrote to memory of 4964 1576 mssvc32.exe mssvc32.exe PID 1576 wrote to memory of 4964 1576 mssvc32.exe mssvc32.exe PID 4964 wrote to memory of 5080 4964 mssvc32.exe mssvc32.exe PID 4964 wrote to memory of 5080 4964 mssvc32.exe mssvc32.exe PID 4964 wrote to memory of 5080 4964 mssvc32.exe mssvc32.exe PID 5080 wrote to memory of 2476 5080 mssvc32.exe mssvc32.exe PID 5080 wrote to memory of 2476 5080 mssvc32.exe mssvc32.exe PID 5080 wrote to memory of 2476 5080 mssvc32.exe mssvc32.exe PID 2476 wrote to memory of 2136 2476 mssvc32.exe mssvc32.exe PID 2476 wrote to memory of 2136 2476 mssvc32.exe mssvc32.exe PID 2476 wrote to memory of 2136 2476 mssvc32.exe mssvc32.exe PID 2136 wrote to memory of 4508 2136 mssvc32.exe mssvc32.exe PID 2136 wrote to memory of 4508 2136 mssvc32.exe mssvc32.exe PID 2136 wrote to memory of 4508 2136 mssvc32.exe mssvc32.exe PID 4508 wrote to memory of 2992 4508 mssvc32.exe mssvc32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\MSSVC\mssvc32.exe"C:\Windows\system32\MSSVC\mssvc32.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"11⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"12⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"13⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"14⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"15⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"16⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"17⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"18⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"19⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"20⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"21⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"22⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"23⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"24⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257KB
MD5160c1f5dd0587c3b49fb893abacf6882
SHA11ccb65f16de6a144beb4abc70b4dd6f6b924fb4f
SHA256a08d9bbcf25cda6dbd708cb5381df841f494f822e9ae26224212b70c0123f759
SHA512586cb880d6365925984f78e90510846976befc81f3bd73c5bf1d9894b197b35846216a0540616296e2987977d09bbcc107d571005430e89fcc1eb7983b674574