465d84dbb7df547817a469c69e606b3396a5d68bb2f88b97f278897e09dbc83f

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 06:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
Size

241KB
MD5

216573060116f48b1a020f3dab13481a
SHA1

4acbaabfe3d6333c43ed81a09dd90fb4b904b42c
SHA256

465d84dbb7df547817a469c69e606b3396a5d68bb2f88b97f278897e09dbc83f
SHA512

7836170c528984d9b95478cb4f63cd188232dde534f393695bcd74e97b36238c32481ebb9463f01046c55960bf956b0997cf8704692d15e587ed888f41996ca3
SSDEEP

6144:sTzop9rU8CXVKQKDGrIsjZcgTt9gOkJaxnJ+yGW13QZXC9:48rU8Co+GyAOkgxJWOgZy9

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PCGWIN32.LI5	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{CEB569C8-8A0CFFE6-7F5D5083-674A9844}\ = 68b241f98286ad2888d6ce232f81899c48192e1b0ae14f88d52aa068259543ac21a9409442a1669002e126986ca4d4cee06ad84ea06ac9d0d454ad13f419c25fb625c31f06a562d31016a8528cae6baa898eacaa09d66ba311e697a39d9958e7dc926791ade0286ff45582237f59455b8f9eaa252f0fb5d58c5cb71a0226669202d6b6138c2957f7ed425420ac100958eb21d157272d7237368d7cd7baddc1e78b6de1cb0be9b1f74c4d0a88d677dccd58b4e47efc7afa39807bb401c13f44854cff6ac5d6f36336b94278a8c0ce142bed1154d7ac626908f7ea3de887b17208708c8615edd397e61db31b39de87654dff77fa32c7709276a97cb4c401238fd96a6356c192a0ae594b67d1fd6844525c6864d6f2633789cd4c2816aa2251619fff65fae3c741b224bfccbacb07766d821786ad628bd85664e21f6fe555fc5fb9e53f9c456743ada68b1d091b8fa16af84e3db407f3cdb194c8612b23b1d970a04845ae0fcbb58e3fcbc5293054f8e07d8ffb6a867662cc608817166d22571e5d9aa720fd1238284449acb3e8c6357c0346c1926498fe24c5ae80b41e4364819168dcc825745372d1bed7baa200ff63ba29fe8b8596ec93d71ed29a2f67552dd3d41ee31a561822589620ed28cb4e892bf471c1739c719bbfe6c5127f694537537dae47154ddff7da7d9fbb257ebf3a45f89c0667cdedb4a873b04136973cd2c69183e86eee34ea8e6814ea9ee824ec9e6864ec8ff67a9f56543d410f9714614fccc57df0327492d0bba7052b340e4ee433292b6e2f2061abf2afad685e231d94dba555deaf1b4aa1ce940b5fc925b3d376ae4215c6a3534691bc687a28ab107a1286694cab8bf6767ccc44ab4c8908eb289651d393a61ecc9ae8a7d4521fae656bd331e63bfd0178abc0d6e9dca8a40eb24ab6b1fd88444920eb9e76db32a1c607bd1d04274ebd6a3b90c6dad35e2e64743330b1823cc1ba90391183631e61a47703fde1bbf401430fe9cab077768d42682fd675624f785546dffc1a441ea0da47a7fd124456b0624d4ef7b44d006bc4890df0eb832e0eea3470ce0d7417cc5dcae7d0f258c1224088ccf7d5b29cf9e63b9346dec2e5cfccea2b77493dcf870a9230613af33e0104d00ea534707080369e4c2456a0938aee692b976992d759dda3e77e7d3a84c05122a31869dd9058119c2727ed9d54a41c911814a05efa64f83e3d3a873ea28469cdd3e8969152e01fcee5f4fc7cb9c63b1c79a44741b22bc70912136e51959fdcda59a15f1c6524933c2944d7e2ddde67da926067048ddd3718fddc3898ba9e87e55220d0be6b7b1141d38796bd2d07779d7da7bb9d01e4ff6dc56b9051e7139259ee5bab61ce03b54ef38ac137ebcd16d7ac6d6beb6931cf8f6a3530cc3cf74472ccfef6c5bddc04596edbaae6ee1d745b8d21686496702c440aceceab7476fcb2bb4946eb3256f692c26f68f58b3f8e854b23f1de78db3c26f84cc2ca87b6f27dcf470aed88a8680fb7550213e0a129c8f3cb3696fce34729fd74c430bf7ec5baefc7d5b21ccf5835d88f216a3b48398e3b8b416e0cd408624c90166b620917376d0d6b97b1e23bd03992bb9681e37f763a72b88039a783724ef6b44c0c68e84c0d34ab415647a27d3007c42df017896d14f752cd600bb431f2873ff205810fd03526035369e12fbc754773adb6b7033df944c46cb37401007722822eff4a7ab67e0c3aaa806f3855fe9ffada8766f242f18ef4940f12959693ac694bf3d1412c678812115ee724bd1244684ccca837f1fd8304eef00b74b1c03ce8f897c0e26497029dd727226dc0a88eedb474b28c08568c9d8a18a822e99e48a548104c2214d02e6f6a15b6d3f3e94e4f348afcb7fa427e303ab2be3ec5faacf8298153f851b91fff25c5130ca9740b8211cee0353f7fc5c5b31c7ed8845a9d21642fd27560037e41ba67807d0cfbaa0651d227270d9d37678d7d0804165e2264b87007fadd01db17192d58171a2d5e0b9a691e10db1cde9a65d92fd8b527f0adb48bc351f614bd90f8ddf818c05e86a5cdbc347b7ec1faa4865c7358b9dc805a1d605b1b6159371f0d253763bdc9c434d130e432b370863ad306519c539a611e171a52e650bd6a44c81c71e477914d202b76298217f86d40d7859dbc58479c3d5bbb19391f835a49deaca52940f3523698fcd939a0ff333a39c0fb1f41e5d700dd921b661983a34ec6949d10e4dee0e4fe724481028486a38cfe6945b77f42053e6fc5750cbcca3b8e39aac3c99e505a6619ac9b95e650e39ee6a43d2287808db4378e4d0a77967d92b898c7df121a16982c19161b22193e5f04a562e0fe4dc44bb171c4339d79dbbf9e05a58fc0b57f7c8584b35d79dbfb2179bf477a320640127e6844b4ecc11788dded180b98a9a548300a04289e289b8a26e9228fb635c333eefed53b10c168638d89c84815f26f71aa7fe9854c80a83d5247ee6dab4bae090b6c3148c708b25648626e2eca4b3151c727124dae774a4d4e3715729f801ac7a67d7d47475d2de7ab4de997cf2d2a97b662430091386f7aaa806f22b5b873ba8e476bade988b4577cad46681d3267c03d3c47fb4d86776db2ab37890d2f97b5d2bfe97a34c04067858d9c54591edf249a00a0550cef76ea7cf746728df8d4fb1dc66743cde9ebd0e9294f33f5b9c304c9d034ea426eb02ab6aebcb4fa8240df7c5a07667d527bee79b5bb0001703b76b932fb06065d02a7f0327bfec1c4900ea614eca0563a620648c3b34ef6aa4d77770d3de8872f0df5d7bfed7a9480ef418a2fc835d04c1bd699ad5c086614d22c296817ce1dea5bee1eb424cf720af6b0cd39f407412d9b6ba1e9838b9129ab6c9174e300513e6b7a16c65cd258e85ab2d88e63cb1956df12e5e87f12c5d9cfa0d55f53a596afa3155e50da2859b067cf6db58bc031d13790bdd387211d501b129996a3e349f12cbbf6fe8d05175f6d254b40964ce376763c824698525a20192ee76bc2915118dfe2daaedf8a1ab066f7b332b6b08d31a833b1f18c73b7f1b2f7873dd27859c65fb3254e6f9475538019f51f0c2516a3ec2697322236984c67c84dd0f7ec42483016f092feef44aaadd174178c622a3608b2f6f7b38d060b7c09ba13c0660bf229812b3031420f5015601fd225603f74054e4ff4d5422048e4a80ff3d5861ced98175cad580b23d669e34f1e755a8326e1bc6bc596e093c1968093e79ecddbf75ebd9af8a6ffacfaea79af07cacdf1cb04315e749b3e9eba65bf03baa9ff1745ed43eb596927cb0db668b38c060962af986aa44e8ecaea6e89aaac2e17aa5d8ea7b4bd0e7b94c15db867bd8df8f4457cbf4485706fc22a4eceb4d571ac3bd4f9ad03f4e6bfad8568ef8c8a75b7f3c27681b2b7013d973b92c157a8ed2b2b69a99354e9604bba49877362becefb747ebeba7b86f99c78a67ab278863a9c7e9a84de3e5abaa747522de037b97d87c7edfd4bfb8e8155c0a31f61a5db40a67843fa0186f72ccd34b40c338879cb83f6e183479e4d9b342672b248495653d2e951b7630d1974a370d1062032184624f24ec00afc6e866ae391eed0ab53b659cd2377913dd787ddbd18bba0febd7b44793247c00dd42baf31cab3b1fe	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{CEB569C8-8A0CFFE6-7F5D5083-674A9844}	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{CEB569C8-8A0CFFE6-7F5D5083-674A9844}\ = dad28fd38286ad2888d6ce232f81899c48192e1b0ae14f88d52aa068259543ac21a9409442a1669002e126986ca4d4cee06ad84ea06ac9d0d454ad13f419c25fb625c31f06a562d31016a8528cae6baa898eacaa09d66ba311e697a39d9958e7dc926791ade0286ff45582237f59455b8f9eaa252f0fb5d58c5cb71a0226669202d6b6138c2957f7ed425420ac100958eb21d157272d7237368d7cd7baddc1e78c6de1cb0be9b1f74c4d0a88d677dccd58b4e47efc7afa39807bb401c13f44854cff6ac5d6f36336b94278a8c0ce142bed1154d7ac626908f7ea3de887b17208708c8615edd397e61db31b39de87654dff77fa32c7709276a97cb4c401238fd96a6356c192a0ae594b67d1fd6844525c6864d6f2633789cd4c2816aa2251619fff65fae3c741b224bfccbacb07766d821786ad628bd85664e21f6fe555fc5fb9e53f9c456743ada68b1d091b8fa16af84e3db407f3cdb194c8612b23b1d970a04845ae0fcbb58e3fcbc5293054f8e07d8ffb6a867662cc608817166d22571e5d9aa720fd1238284449acb3e8c6357c0346c1926498fe24c5ae80b41e4364819168dcc825745372d1bed7baa200ff63ba29fe8b8596ec93d71ed29a2f67552dd3d41ee31a561822589620ed28cb4e892bf471c1739c719bbfe6c5127f694537537dae47154ddff7da7d9fbb257ebf3a45f89c0667cdedb4a873b04136973cd2c69183e86eee34ea8e6814ea9ee824ec9e6864ec8ff67a9f56543d410f9714614fccc57df0327492d0bba7052b340e4ee433292b6e2f2061abf2afad685e231d94dba555deaf1b4aa1ce940b5fc925b3d376ae4215c6a3534691bc687a28ab107a1286694cab8bf6767ccc44ab4c8908eb289651d393a61ecc9ae8a7d4521fae656bd331e63bfd0178abc0d6e9dca8a40eb24ab6b1fd88444920eb9e76db32a1c607bd1d04274ebd6a3b90c6dad35e2e64743330b1823cc1ba90391183631e61a47703fde1bbf401430fe9cab077768d42682fd675624f785546dffc1a441ea0da47a7fd124456b0624d4ef7b44d006bc4890df0eb832e0eea3470ce0d7417cc5dcae7d0f258c1224088ccf7d5b29cf9e63b9346dec2e5cfccea2b77493dcf870a9230613af33e0104d00ea534707080369e4c2456a0938aee692b976992d759dda3e77e7d3a84c05122a31869dd9058119c2727ed9d54a41c911814a05efa64f83e3d3a873ea28469cdd3e8969152e01fcee5f4fc7cb9c63b1c79a44741b22bc70912136e51959fdcda59a15f1c6524933c2944d7e2ddde67da926067048ddd3718fddc3898ba9e87e55220d0be6b7b1141d38796bd2d07779d7da7bb9d01e4ff6dc56b9051e7139259ee5bab61ce03b54ef38ac137ebcd16d7ac6d6beb6931cf8f6a3530cc3cf74472ccfef6c5bddc04596edbaae6ee1d745b8d21686496702c440aceceab7476fcb2bb4946eb3256f692c26f68f58b3f8e854b23f1de78db3c26f84cc2ca87b6f27dcf470aed88a8680fb7550213e0a129c8f3cb3696fce34729fd74c430bf7ec5baefc7d5b21ccf5835d88f216a3b48398e3b8b416e0cd408624c90166b620917376d0d6b97b1e23bd03992bb9681e37f763a72b88039a783724ef6b44c0c68e84c0d34ab415647a27d3007c42df017896d14f752cd600bb431f2873ff205810fd03526035369e12fbc754773adb6b7033df944c46cb37401007722822eff4a7ab67e0c3aaa806f3855fe9ffada8766f242f18ef4940f12959693ac694bf3d1412c678812115ee724bd1244684ccca837f1fd8304eef00b74b1c03ce8f897c0e26497029dd727226dc0a88eedb474b28c08568c9d8a18a822e99e48a548104c2214d02e6f6a15b6d3f3e94e4f348afcb7fa427e303ab2be3ec5faacf8298153f851b91fff25c5130ca9740b8211cee0353f7fc5c5b31c7ed8845a9d21642fd27560037e41ba67807d0cfbaa0651d227270d9d37678d7d0804165e2264b87007fadd01db17192d58171a2d5e0b9a691e10db1cde9a65d92fd8b527f0adb48bc351f614bd90f8ddf818c05e86a5cdbc347b7ec1faa4865c7358b9dc805a1d605b1b6159371f0d253763bdc9c434d130e432b370863ad306519c539a611e171a52e650bd6a44c81c71e477914d202b76298217f86d40d7859dbc58479c3d5bbb19391f835a49deaca52940f3523698fcd939a0ff333a39c0fb1f41e5d700dd921b661983a34ec6949d10e4dee0e4fe724481028486a38cfe6945b77f42053e6fc5750cbcca3b8e39aac3c99e505a6619ac9b95e650e39ee6a43d2287808db4378e4d0a77967d92b898c7df121a16982c19161b22193e5f04a562e0fe4dc44bb171c4339d79dbbf9e05a58fc0b57f7c8584b35d79dbfb2179bf477a320640127e6844b4ecc11788dded180b98a9a548300a04289e289b8a26e9228fb635c333eefed53b10c168638d89c84815f26f71aa7fe9854c80a83d5247ee6dab4bae090b6c3148c708b25648626e2eca4b3151c727124dae774a4d4e3715729f801ac7a67d7d47475d2de7ab4de997cf2d2a97b662430091386f7aaa806f22b5b873ba8e476bade988b4577cad46681d3267c03d3c47fb4d86776db2ab37890d2f97b5d2bfe97a34c04067858d9c54591edf249a00a0550cef76ea7cf746728df8d4fb1dc66743cde9ebd0e9294f33f5b9c304c9d034ea426eb02ab6aebcb4fa8240df7c5a07667d527bee79b5bb0001703b76b932fb06065d02a7f0327bfec1c4900ea614eca0563a620648c3b34ef6aa4d77770d3de8872f0df5d7bfed7a9480ef418a2fc835d04c1bd699ad5c086614d22c296817ce1dea5bee1eb424cf720af6b0cd39f407412d9b6ba1e9838b9129ab6c9174e300513e6b7a16c65cd258e85ab2d88e63cb1956df12e5e87f12c5d9cfa0d55f53a596afa3155e50da2859b067cf6db58bc031d13790bdd387211d501b129996a3e349f12cbbf6fe8d05175f6d254b40964ce376763c824698525a20192ee76bc2915118dfe2daaedf8a1ab066f7b332b6b08d31a833b1f18c73b7f1b2f7873dd27859c65fb3254e6f9475538019f51f0c2516a3ec2697322236984c67c84dd0f7ec42483016f092feef44aaadd174178c622a3608b2f6f7b38d060b7c09ba13c0660bf229812b3031420f5015601fd225603f74054e4ff4d5422048e4a80ff3d5861ced98175cad580b23d669e34f1e755a8326e1bc6bc596e093c1968093e79ecddbf75ebd9af8a6ffacfaea79af07cacdf1cb04315e749b3e9eba65bf03baa9ff1745ed43eb596927cb0db668b38c060962af986aa44e8ecaea6e89aaac2e17aa5d8ea7b4bd0e7b94c15db867bd8df8f4457cbf4485706fc22a4eceb4d571ac3bd4f9ad03f4e6bfad8568ef8c8a75b7f3c27681b2b7013d973b92c157a8ed2b2b69a99354e9604bba49877362becefb747ebeba7b86f99c78a67ab278863a9c7e9a84de3e5abaa747522de037b97d87c7edfd4bfb8e8155c0a31f61a5db40a67843fa0186f72ccd34b40c338879cb83f6e183479e4d9b342672b248495653d2e951b7630d1974a370d1062032184624f24ec00afc6e866ae391eed0ab53b659cd2377913dd787ddbd18bba0febd7b44793247c00dd42baf31cab3b1fe	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 21 IoCs

pid	Process
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 388	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	3
PID 2748 wrote to memory of 388	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	3
PID 2748 wrote to memory of 388	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	3
PID 2748 wrote to memory of 388	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	3
PID 2748 wrote to memory of 388	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	3
PID 2748 wrote to memory of 388	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	3
PID 2748 wrote to memory of 400	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	4
PID 2748 wrote to memory of 400	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	4
PID 2748 wrote to memory of 400	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	4
PID 2748 wrote to memory of 400	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	4
PID 2748 wrote to memory of 400	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	4
PID 2748 wrote to memory of 400	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	4
PID 2748 wrote to memory of 436	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	5
PID 2748 wrote to memory of 436	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	5
PID 2748 wrote to memory of 436	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	5
PID 2748 wrote to memory of 436	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	5
PID 2748 wrote to memory of 436	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	5
PID 2748 wrote to memory of 436	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	5
PID 2748 wrote to memory of 480	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	6
PID 2748 wrote to memory of 480	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	6
PID 2748 wrote to memory of 480	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	6
PID 2748 wrote to memory of 480	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	6
PID 2748 wrote to memory of 480	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	6
PID 2748 wrote to memory of 480	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	6
PID 2748 wrote to memory of 496	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	7
PID 2748 wrote to memory of 496	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	7
PID 2748 wrote to memory of 496	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	7
PID 2748 wrote to memory of 496	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	7
PID 2748 wrote to memory of 496	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	7
PID 2748 wrote to memory of 496	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	7
PID 2748 wrote to memory of 504	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	8
PID 2748 wrote to memory of 504	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	8
PID 2748 wrote to memory of 504	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	8
PID 2748 wrote to memory of 504	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	8
PID 2748 wrote to memory of 504	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	8
PID 2748 wrote to memory of 504	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	8
PID 2748 wrote to memory of 600	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	9
PID 2748 wrote to memory of 600	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	9
PID 2748 wrote to memory of 600	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	9
PID 2748 wrote to memory of 600	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	9
PID 2748 wrote to memory of 600	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	9
PID 2748 wrote to memory of 600	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	9
PID 2748 wrote to memory of 676	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	10
PID 2748 wrote to memory of 676	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	10
PID 2748 wrote to memory of 676	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	10
PID 2748 wrote to memory of 676	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	10
PID 2748 wrote to memory of 676	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	10
PID 2748 wrote to memory of 676	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	10
PID 2748 wrote to memory of 752	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	11
PID 2748 wrote to memory of 752	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	11
PID 2748 wrote to memory of 752	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	11
PID 2748 wrote to memory of 752	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	11
PID 2748 wrote to memory of 752	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	11
PID 2748 wrote to memory of 752	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	11
PID 2748 wrote to memory of 824	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	12
PID 2748 wrote to memory of 824	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	12
PID 2748 wrote to memory of 824	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	12
PID 2748 wrote to memory of 824	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	12
PID 2748 wrote to memory of 824	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	12
PID 2748 wrote to memory of 824	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	12
PID 2748 wrote to memory of 872	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	13
PID 2748 wrote to memory of 872	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	13
PID 2748 wrote to memory of 872	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	13
PID 2748 wrote to memory of 872	2748	216573060116f48b1a020f3dab13481a_JaffaCakes118.exe	13

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:388
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:480
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:600
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1052
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:676
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:752
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:824
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1176
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:872
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:1000
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:348
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:548
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1060
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1116
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2132
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2300
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:496
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:504

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:400

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\216573060116f48b1a020f3dab13481a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\216573060116f48b1a020f3dab13481a_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\PCGWIN32.LI5

Filesize
2KB

MD5
8de3bf3c74e77d09fa3e386f5d6583d7

SHA1
db7b1aee786b8315a55d4b8ef6b91353d9397b00

SHA256
88c50c9f64332a177f280fe325de049672c1b38ef28ac4614a49e25615c34737

SHA512
2e10205916a98defc81e4e4f343842af5f9795216dae1e3faabf6358ce270929dedc6afd942a508b957e6774df5198f28fe6139aa51443daba3eaae2e1c32fe1

Download Submit
memory/2748-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2748-12-0x00000000775DF000-0x00000000775E0000-memory.dmp

Filesize
4KB

Download
memory/2748-11-0x00000000775E0000-0x00000000775E1000-memory.dmp

Filesize
4KB

Download
memory/2748-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download