Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2024, 20:21
Static task
static1
Behavioral task
behavioral1
Sample
1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
-
Size
165KB
-
MD5
1c5eb0e8f00fd584e8d1d3006278fe76
-
SHA1
03f5aa75940b9176a97ac41257f306c33cca93da
-
SHA256
e026f6f1a5a4f5b39e68c8cdb050334174764d2c7fe041073c6e64872a3a4099
-
SHA512
592c5856367f942c29f9f88c7ed20f65eb453475991ffafa11cd72b4c45ca3e58f47af0d4daf6cda2a3800de45789d55596bfcfe3588ee4f7f77417e52474590
-
SSDEEP
3072:yo5Htro+64OBGLvtwT+rGkLB0oA50BFLqlNyoNCzN2D3zCCR9GPU1:351llOBGLvuT+rjLBxAblNyN2zz7RWM
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe:*:enabled:@shell32.dll,-1" 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3252 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe 2392 WaterMark.exe -
resource yara_rule behavioral2/memory/3252-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3252-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2392-27-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2392-31-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3252-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3252-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3252-9-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3252-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3252-5-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2392-65-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxEDDA.tmp 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Panther\setupact.log 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe File opened for modification C:\Windows\Panther\setuperr.log 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe File opened for modification C:\Windows\Panther\diagerr.xml 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe File opened for modification C:\Windows\Panther\diagwrn.xml 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3704 4720 WerFault.exe 93 -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Migration 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1120395259" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1120395259" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31116278" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6E2EA621-37E9-11EF-90FA-C21B8D59DC13} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31116278" iexplore.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = e3cbcd2ef6cbda01 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IENTSS" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116278" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = e3cbcd2ef6cbda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\User Preferences iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1117270316" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1117270316" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1117895309" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aa9cad4c9673b74c9a378d3b281cdc3700000000020000000000106600000001000020000000ba20db646437dfc020a73d9f3d7d466b0b0b046701d4905c1354e3c31f420f73000000000e800000000200002000000070cd7841d448f8ca80d11ea1e1d6515d10ddda3d6acabc51c198bd200e6b4e82100000007966afcae46392229a444080b72654ad40000000abc93d3e29f9e1c1a12b149665c37491da876c1e3fc719e25a1cdb038ce4755c5c8a09fffeeba716ff32d54a639a6ac4d2dc16f90b861e39e458f2944cd471b1 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6E29E077-37E9-11EF-90FA-C21B8D59DC13} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116278" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = e3cbcd2ef6cbda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1117895309" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aa9cad4c9673b74c9a378d3b281cdc37000000000200000000001066000000010000200000002b2a9303f0e18c9276a2a0ee4fc08dfac343ad8988ee67de1ce8a08fd8b7b3ab000000000e8000000002000020000000e81a4f006ed387c2d66e49fb805450fe531b020bb0c2d0100b92128538999f0b50000000e0cf510533206ea109e69a92eeb7814a1a42ad40674fe748479d4e67707d218dbf854d3968a0f18c626152b6e0905ce8b9756fa95b7628f6eb7a6ae4d7ed763403b9ba596510395e002f50cef17ae0b84000000043d784d6d077c6d38feff1c34bb0a3c0e79f5c0712f9bb2649174341287f04cf636dca4a3348892535aee7366c95b28b0b0524ffc13fca0b6d1cfdb58b46e592 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aa9cad4c9673b74c9a378d3b281cdc370000000002000000000010660000000100002000000012d1559f0a1af04b604cf7dae6556039fc91fa785b5c66ced37e943d5968e25c000000000e8000000002000020000000e6c22d1920d3dbfa6998e44685af5a45cce1250b2d33248aee659401820e18c6100000009b18b92161eaaceccccd67f18dbe3ded40000000ba381494dd1d2e1372ade3f72ab45ee56ee0f838c94e41e623ec8b963d1a6b60f8f560e26fb9b13b97c5cb5e369109c61da30b72789a411ca998315ff6c1701d iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116278" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2392 WaterMark.exe 2392 WaterMark.exe 2392 WaterMark.exe 2392 WaterMark.exe 2392 WaterMark.exe 2392 WaterMark.exe 2392 WaterMark.exe 2392 WaterMark.exe 2392 WaterMark.exe 2392 WaterMark.exe 2392 WaterMark.exe 2392 WaterMark.exe 2392 WaterMark.exe 2392 WaterMark.exe 2392 WaterMark.exe 2392 WaterMark.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
pid Process 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe Token: SeDebugPrivilege 2392 WaterMark.exe Token: SeRestorePrivilege 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe Token: SeRestorePrivilege 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 440 iexplore.exe 1152 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1152 iexplore.exe 1152 iexplore.exe 440 iexplore.exe 440 iexplore.exe 4280 IEXPLORE.EXE 4280 IEXPLORE.EXE 1676 IEXPLORE.EXE 1676 IEXPLORE.EXE 4280 IEXPLORE.EXE 4280 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3252 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe 2392 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2016 wrote to memory of 3252 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 91 PID 2016 wrote to memory of 3252 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 91 PID 2016 wrote to memory of 3252 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 91 PID 2016 wrote to memory of 600 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 5 PID 2016 wrote to memory of 600 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 5 PID 2016 wrote to memory of 600 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 5 PID 2016 wrote to memory of 600 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 5 PID 2016 wrote to memory of 600 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 5 PID 2016 wrote to memory of 600 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 5 PID 2016 wrote to memory of 656 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 7 PID 2016 wrote to memory of 656 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 7 PID 2016 wrote to memory of 656 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 7 PID 2016 wrote to memory of 656 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 7 PID 2016 wrote to memory of 656 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 7 PID 2016 wrote to memory of 656 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 7 PID 2016 wrote to memory of 764 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 8 PID 2016 wrote to memory of 764 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 8 PID 2016 wrote to memory of 764 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 8 PID 2016 wrote to memory of 764 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 8 PID 2016 wrote to memory of 764 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 8 PID 2016 wrote to memory of 764 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 8 PID 2016 wrote to memory of 772 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 9 PID 2016 wrote to memory of 772 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 9 PID 2016 wrote to memory of 772 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 9 PID 2016 wrote to memory of 772 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 9 PID 2016 wrote to memory of 772 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 9 PID 2016 wrote to memory of 772 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 9 PID 2016 wrote to memory of 780 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 10 PID 2016 wrote to memory of 780 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 10 PID 2016 wrote to memory of 780 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 10 PID 2016 wrote to memory of 780 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 10 PID 2016 wrote to memory of 780 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 10 PID 2016 wrote to memory of 780 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 10 PID 2016 wrote to memory of 884 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 11 PID 2016 wrote to memory of 884 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 11 PID 2016 wrote to memory of 884 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 11 PID 2016 wrote to memory of 884 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 11 PID 2016 wrote to memory of 884 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 11 PID 2016 wrote to memory of 884 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 11 PID 2016 wrote to memory of 932 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 12 PID 2016 wrote to memory of 932 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 12 PID 2016 wrote to memory of 932 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 12 PID 2016 wrote to memory of 932 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 12 PID 2016 wrote to memory of 932 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 12 PID 2016 wrote to memory of 932 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 12 PID 2016 wrote to memory of 1012 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 13 PID 2016 wrote to memory of 1012 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 13 PID 2016 wrote to memory of 1012 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 13 PID 2016 wrote to memory of 1012 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 13 PID 2016 wrote to memory of 1012 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 13 PID 2016 wrote to memory of 1012 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 13 PID 2016 wrote to memory of 420 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 14 PID 2016 wrote to memory of 420 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 14 PID 2016 wrote to memory of 420 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 14 PID 2016 wrote to memory of 420 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 14 PID 2016 wrote to memory of 420 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 14 PID 2016 wrote to memory of 420 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 14 PID 2016 wrote to memory of 848 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 15 PID 2016 wrote to memory of 848 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 15 PID 2016 wrote to memory of 848 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 15 PID 2016 wrote to memory of 848 2016 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe 15 PID 3252 wrote to memory of 2392 3252 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe 92 PID 3252 wrote to memory of 2392 3252 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe 92 PID 3252 wrote to memory of 2392 3252 1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe 92
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:600
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:764
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1012
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:656
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:780
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵PID:2808
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3728
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵PID:3884
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3944
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵PID:4040
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3824
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:2484
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵PID:2648
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:2552
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵PID:5024
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:4400
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca2⤵PID:2108
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:884
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:932
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:420
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:880
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1096
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1104
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1204
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:652
-
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe2⤵PID:4596
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1260
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1308
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1412
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:3048
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1488
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1500
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1632
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1668
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1696
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1780
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1796
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1908
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1916
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1928
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2004
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:1804
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2232
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2288
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2492
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2568
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2580
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2624
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:376
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3140
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2100
-
-
C:\Users\Admin\AppData\Local\Temp\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exeC:\Users\Admin\AppData\Local\Temp\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2392 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:4720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 2046⤵
- Program crash
PID:3704
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1152 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1152 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1676
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:440 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:440 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4280
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:3932
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:1952
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:1532
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:3248
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵PID:4860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7fffda5f4ef8,0x7fffda5f4f04,0x7fffda5f4f102⤵PID:2160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2304,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=2300 /prefetch:22⤵PID:2900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1972,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=3408 /prefetch:32⤵PID:4128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2340,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:82⤵PID:2992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3924,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:82⤵PID:1732
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:2172
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4720 -ip 47201⤵PID:2788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5df3b51cc5929f3af03350336b1afc568
SHA148453c44facbbea059f9da8565cf25b1c2cb9ce0
SHA2562375353160c5f8c4cadce5954ff4a7cc5b9c403890f0404791ff85c8ec0dd748
SHA512d8eaa0761def6d74462748aa794198b5f32fa593662bf373c81e1d300f3f76ecc1c723cef52774caa6482527f26524fd2677a5e2253285cb6d0984b044347e8a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD508e3c4c6989ba6af68a34f66fc94db2b
SHA1b2d7546a8aa1b2b170eb361a3b59b3b1939827ae
SHA2566740765f5b675959f1a07a9471b66314514b873867f0c30095ded76af7991b4c
SHA51253a6be9441e562535aa5742a09a14bdc11782d67a44dfa504ff5efa4a368baf3aebc1835c5c780b1415c657cd8b24871da2c3fbb3372894653994a1ce28c5f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5c388cb27268621665793b075d9c84c08
SHA1ea54bf7cc3b110dbbccc9284fcd7b483fe1cefd7
SHA256226a7ca995cf5811d0dcfa766a12105dfda56cbc7c25c4e95ff46355bf616549
SHA512ddef6d6b62baa57ef3daab78c8e4830ed4398b7e40e979ce6d3756c0c4dee86b9190f1b2e9f4276143891ca08127b3ed750a84b9c79c4775894f4ce14589cf71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize4KB
MD5da597791be3b6e732f0bc8b20e38ee62
SHA11125c45d285c360542027d7554a5c442288974de
SHA2565b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6E29E077-37E9-11EF-90FA-C21B8D59DC13}.dat
Filesize5KB
MD5518f5ca210ada501cd0e7399627e2ba6
SHA1a19ee2c57c0ae050f0604304b22b23e16ca7fb2d
SHA256f6f2addd822a660253384f3f069a3280afbf6ee71d683ca7391d1df8a48befb5
SHA5128aefe96b185832bc325a2bfa055cef2ed96d4cc079b65d70a3bf2280d919d1aeec780d96aadfbe19126c258ff8b5c7f6e9ce57c9c78f7ac27a77333f6721c34b
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6E2EA621-37E9-11EF-90FA-C21B8D59DC13}.dat
Filesize5KB
MD5b2765c6c4580717eda5bf0766a1080ca
SHA1726b7f72a38ee9001bbac616e2ccedf39078bbe0
SHA256aa90afaea094e41a5833d4de164fcedc1decaa888bc9441b07137eb7384d506d
SHA5127fc616366f25825f9e74b4219b6ef6c602a407eb10b51127f89cfae1bdc3b62968832905a0e7f2e7a79f180da49c38871462d48e1e550a88a8cc8d1b100c451e
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
60KB
MD5cd963c64ad0bea4ca85a4819f6eefed1
SHA1d9cd6316cf3c6ce5ceec9694c2debc7b7981775f
SHA25633c4b715dc8b183dff9aac65cc42c7f2c70658580b8e3d449878251482a5d906
SHA512f7cd12c57eff3acf7c89b0e7b55dfa81623618a65d6c49b490c199cfe63ae9e858f2681c8ef1425d1e4b25f7b0bbd6d4a9d9788956c23f52fece3d5d79b5907e