Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 02:52
Behavioral task
behavioral1
Sample
246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
-
Size
771KB
-
MD5
246217ade9b88eb3cc1e3fd5ad3a1eec
-
SHA1
ca5d68a67eb0eaa719fd9d151fa7e386641a59c5
-
SHA256
4b7f316f2cfb86274ae9977e481a95c66877728773369105ea2a8e2b3f387c57
-
SHA512
3b31f45704aab02deeb10bfaadffb304b77ab2cad364c75035d3032068f88c76dafddd8ec037ec55874f52182f9c2d605e6e7fd69f2025cac8b277faf9b38f4e
-
SSDEEP
12288:l6HDFQPji50QKpVBeN33YuR8xMJHiM5M3vtESOkF59PjIkVyGNiwuAvzON:ojCPjHVB5u+xBM5259PlVyGNNvzO
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\252884a2\\X" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" khqKc8.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" duadoi.exe -
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/2068-11-0x0000000000400000-0x0000000000418000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 2128 cmd.exe -
Executes dropped EXE 10 IoCs
pid Process 2564 khqKc8.exe 2740 duadoi.exe 2924 afhost.exe 1676 bfhost.exe 336 csrss.exe 1776 afhost.exe 3000 X 1828 C523.tmp 1364 cfhost.exe 1764 afhost.exe -
Loads dropped DLL 14 IoCs
pid Process 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 2564 khqKc8.exe 2564 khqKc8.exe 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 1676 bfhost.exe 1676 bfhost.exe 2924 afhost.exe 2924 afhost.exe 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2176-14-0x0000000000400000-0x00000000004DF000-memory.dmp upx behavioral1/memory/2176-13-0x0000000000400000-0x00000000004DF000-memory.dmp upx behavioral1/memory/2176-6-0x0000000000400000-0x00000000004DF000-memory.dmp upx behavioral1/memory/2176-3-0x0000000000400000-0x00000000004DF000-memory.dmp upx behavioral1/memory/2176-2-0x0000000000400000-0x00000000004DF000-memory.dmp upx behavioral1/memory/2176-15-0x0000000000400000-0x00000000004DF000-memory.dmp upx behavioral1/memory/2176-84-0x0000000000400000-0x00000000004DF000-memory.dmp upx behavioral1/memory/2924-85-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1776-185-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2924-186-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2924-267-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2924-278-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1764-280-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2176-342-0x0000000000400000-0x00000000004DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /I" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /Y" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /T" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /j" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /s" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /c" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /k" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /X" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /U" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /F" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /u" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /a" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /n" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /p" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /y" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /S" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /Q" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /V" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /M" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /P" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /R" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /O" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /D" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /h" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /d" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /K" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /i" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /o" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /G" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /f" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /b" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /H" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /g" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /J" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /G" khqKc8.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /L" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /l" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /z" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /t" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /v" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /B" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /W" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /m" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /r" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /e" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /E" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /w" duadoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\211.exe = "C:\\Program Files (x86)\\LP\\3520\\211.exe" afhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /C" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /Z" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /x" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /N" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /A" duadoi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /q" duadoi.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2068 set thread context of 2176 2068 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 28 PID 1676 set thread context of 1900 1676 bfhost.exe 49 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\3520\211.exe afhost.exe File opened for modification C:\Program Files (x86)\LP\3520\211.exe afhost.exe File opened for modification C:\Program Files (x86)\LP\3520\C523.tmp afhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2628 tasklist.exe 3064 tasklist.exe -
Modifies registry class 8 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \registry\machine\Software\Classes\Interface\{862703e3-6e7c-b4d4-5418-1c7942b29c45} bfhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{862703e3-6e7c-b4d4-5418-1c7942b29c45}\u = "188" bfhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{862703e3-6e7c-b4d4-5418-1c7942b29c45}\cid = "3360857642017726549" bfhost.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2564 khqKc8.exe 2564 khqKc8.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2924 afhost.exe 2924 afhost.exe 2924 afhost.exe 2924 afhost.exe 2924 afhost.exe 2924 afhost.exe 2740 duadoi.exe 2740 duadoi.exe 1676 bfhost.exe 1676 bfhost.exe 1676 bfhost.exe 1676 bfhost.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2924 afhost.exe 2924 afhost.exe 2924 afhost.exe 2924 afhost.exe 2924 afhost.exe 2924 afhost.exe 2924 afhost.exe 2924 afhost.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 3000 X 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe 2740 duadoi.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 648 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2628 tasklist.exe Token: SeRestorePrivilege 2784 msiexec.exe Token: SeTakeOwnershipPrivilege 2784 msiexec.exe Token: SeSecurityPrivilege 2784 msiexec.exe Token: SeDebugPrivilege 1676 bfhost.exe Token: SeDebugPrivilege 1676 bfhost.exe Token: SeShutdownPrivilege 648 explorer.exe Token: SeShutdownPrivilege 648 explorer.exe Token: SeShutdownPrivilege 648 explorer.exe Token: SeShutdownPrivilege 648 explorer.exe Token: SeShutdownPrivilege 648 explorer.exe Token: SeShutdownPrivilege 648 explorer.exe Token: SeShutdownPrivilege 648 explorer.exe Token: SeShutdownPrivilege 648 explorer.exe Token: SeShutdownPrivilege 648 explorer.exe Token: SeShutdownPrivilege 648 explorer.exe Token: SeShutdownPrivilege 648 explorer.exe Token: SeShutdownPrivilege 648 explorer.exe Token: SeDebugPrivilege 3064 tasklist.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe 648 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 2564 khqKc8.exe 2740 duadoi.exe 1364 cfhost.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 336 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2176 2068 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 28 PID 2068 wrote to memory of 2176 2068 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 28 PID 2068 wrote to memory of 2176 2068 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 28 PID 2068 wrote to memory of 2176 2068 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 28 PID 2068 wrote to memory of 2176 2068 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 28 PID 2068 wrote to memory of 2176 2068 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 28 PID 2068 wrote to memory of 2176 2068 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 28 PID 2068 wrote to memory of 2176 2068 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 28 PID 2176 wrote to memory of 2564 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 29 PID 2176 wrote to memory of 2564 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 29 PID 2176 wrote to memory of 2564 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 29 PID 2176 wrote to memory of 2564 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 29 PID 2564 wrote to memory of 2740 2564 khqKc8.exe 30 PID 2564 wrote to memory of 2740 2564 khqKc8.exe 30 PID 2564 wrote to memory of 2740 2564 khqKc8.exe 30 PID 2564 wrote to memory of 2740 2564 khqKc8.exe 30 PID 2564 wrote to memory of 2548 2564 khqKc8.exe 31 PID 2564 wrote to memory of 2548 2564 khqKc8.exe 31 PID 2564 wrote to memory of 2548 2564 khqKc8.exe 31 PID 2564 wrote to memory of 2548 2564 khqKc8.exe 31 PID 2548 wrote to memory of 2628 2548 cmd.exe 33 PID 2548 wrote to memory of 2628 2548 cmd.exe 33 PID 2548 wrote to memory of 2628 2548 cmd.exe 33 PID 2548 wrote to memory of 2628 2548 cmd.exe 33 PID 2176 wrote to memory of 2924 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 35 PID 2176 wrote to memory of 2924 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 35 PID 2176 wrote to memory of 2924 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 35 PID 2176 wrote to memory of 2924 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 35 PID 2176 wrote to memory of 1676 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 38 PID 2176 wrote to memory of 1676 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 38 PID 2176 wrote to memory of 1676 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 38 PID 2176 wrote to memory of 1676 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 38 PID 1676 wrote to memory of 1192 1676 bfhost.exe 21 PID 1676 wrote to memory of 336 1676 bfhost.exe 2 PID 2924 wrote to memory of 1776 2924 afhost.exe 40 PID 2924 wrote to memory of 1776 2924 afhost.exe 40 PID 2924 wrote to memory of 1776 2924 afhost.exe 40 PID 2924 wrote to memory of 1776 2924 afhost.exe 40 PID 336 wrote to memory of 2004 336 csrss.exe 41 PID 336 wrote to memory of 2900 336 csrss.exe 42 PID 1676 wrote to memory of 3000 1676 bfhost.exe 43 PID 1676 wrote to memory of 3000 1676 bfhost.exe 43 PID 1676 wrote to memory of 3000 1676 bfhost.exe 43 PID 1676 wrote to memory of 3000 1676 bfhost.exe 43 PID 3000 wrote to memory of 648 3000 X 39 PID 2924 wrote to memory of 1828 2924 afhost.exe 44 PID 2924 wrote to memory of 1828 2924 afhost.exe 44 PID 2924 wrote to memory of 1828 2924 afhost.exe 44 PID 2924 wrote to memory of 1828 2924 afhost.exe 44 PID 336 wrote to memory of 2932 336 csrss.exe 45 PID 336 wrote to memory of 2932 336 csrss.exe 45 PID 2176 wrote to memory of 1364 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 46 PID 2176 wrote to memory of 1364 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 46 PID 2176 wrote to memory of 1364 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 46 PID 2176 wrote to memory of 1364 2176 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe 46 PID 336 wrote to memory of 1424 336 csrss.exe 47 PID 2924 wrote to memory of 1764 2924 afhost.exe 48 PID 2924 wrote to memory of 1764 2924 afhost.exe 48 PID 2924 wrote to memory of 1764 2924 afhost.exe 48 PID 2924 wrote to memory of 1764 2924 afhost.exe 48 PID 1676 wrote to memory of 1900 1676 bfhost.exe 49 PID 1676 wrote to memory of 1900 1676 bfhost.exe 49 PID 1676 wrote to memory of 1900 1676 bfhost.exe 49 PID 1676 wrote to memory of 1900 1676 bfhost.exe 49 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer afhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" afhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe3⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\khqKc8.exeC:\Users\Admin\khqKc8.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\duadoi.exe"C:\Users\Admin\duadoi.exe"5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2740
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del khqKc8.exe5⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
-
-
C:\Users\Admin\afhost.exeC:\Users\Admin\afhost.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2924 -
C:\Users\Admin\afhost.exeC:\Users\Admin\afhost.exe startC:\Users\Admin\AppData\Roaming\085F0\F1035.exe%C:\Users\Admin\AppData\Roaming\085F05⤵
- Executes dropped EXE
PID:1776
-
-
C:\Program Files (x86)\LP\3520\C523.tmp"C:\Program Files (x86)\LP\3520\C523.tmp"5⤵
- Executes dropped EXE
PID:1828
-
-
C:\Users\Admin\afhost.exeC:\Users\Admin\afhost.exe startC:\Program Files (x86)\F033E\lvvm.exe%C:\Program Files (x86)\F033E5⤵
- Executes dropped EXE
PID:1764
-
-
-
C:\Users\Admin\bfhost.exeC:\Users\Admin\bfhost.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Local\252884a2\X176.53.17.23:805⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"5⤵PID:1900
-
-
-
C:\Users\Admin\cfhost.exeC:\Users\Admin\cfhost.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1364
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe4⤵
- Deletes itself
PID:2128 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies WinLogon for persistence
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:648
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2004
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2900
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵PID:2932
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1424
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5da90876350e41d0be2155af2a1adafc8
SHA125fb8b07ab1a9b47fba6a1a0cec6c612c21a5d47
SHA2567bf0b7406b416e150d0eb4928c380ac61d074ef4706d41bd2441ad6559d00c75
SHA512a1a20c8c55718d63b6809478187b1aef0383d134b4b9a665df9d531a1c12d4e5620c440fe6f37a51a5e1bc6e73992152ff25ef693320921509226500dc2ac902
-
Filesize
600B
MD5b42b818c41c14ece48bdd0db44bd1705
SHA15b75442fc4264f56bbaf3626862941526c5ef45e
SHA256147662624a37266023c866fad752971bdd3509c35387a20ed16dd11ac20f2e96
SHA51299a5e2bc16cf3fba31b4b5a8d50c2e1cfd4cc2d30d1e6dbaeae830ff3a142eeb665d72eb1bacac01ea896cc9c41e19b390ceb01a2d24d11c37f1d1592c556597
-
Filesize
897B
MD5cc6c214af0231981dd8cf6df0316f886
SHA11048900703b365661a03ce721864964e0f542b91
SHA2560516359013eb1462290b4163a005887375b3c1fa195ca25b37f87ee3fcd2413a
SHA512a6bc355693b53ffdb159a4f675897dfa3f1b657baa011ce8ad7a0cb9a3c26571e1eb6a1dd74adc6e9597e86631416921965be2f528d31b0dcfdd98161e4e9555
-
Filesize
1KB
MD56f1f8a290ed588e3db8c13e57de13dec
SHA1f43cfbe33bf5fafa94c84aefc2bedd42f7f04f3b
SHA256d4ef845896fc685158eae0a596b47a1431957fe12b4a0c6d8735f58c65712d03
SHA512aef8eceea6b5c42e19ad04c937225c2915bf1e95b5ae284f5c734636eb5d904a402d602e8b2bf496c8d901e01527e7b4a8431e7293bde585e74a70c5c417c02e
-
Filesize
1KB
MD5b611f00ac6d829210b06401cdf24afea
SHA14d196751d03c78025242bdccc0ff149b3cfc5230
SHA256208b26401db19cf0b6aa3a78e0ac939c49b8656f58388a7bd33834fdcc027f41
SHA512784e6b9bc0f86c8d3c1e753575925afb743dd019e9fb4efaca939fbc3eb6d2be59431dfbbd94e09f243dcd91a658faae5572b79afd22b309ee74d71753c02a3d
-
Filesize
300B
MD51edaec881d47ce3f193c20640cf0d049
SHA12947a7b778138bdba56bea8e0bca2d831e68bdc4
SHA25666b752ef2afc58fa7cc2323286491f02d28f005edaccef68f3718fbc61958ceb
SHA512d0f6a638b9b45f5db7cf5ceff27300f26b2236cdaf16ebe77bef93dd988e4720f49dc95aaab64fca3d9c7b1cbe4b110b742ab6cba19a5b5f75f50d10c7bd69a9
-
Filesize
31KB
MD5dafc4a53954b76c5db1d857e955f3805
SHA1a18fa0d38c6656b4398953e77e87eec3b0209ef3
SHA256c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b
SHA512745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633
-
Filesize
99KB
MD508a5937a576b475126ca81d436937a26
SHA10511a1e2596ab2ab23d032c2883c3380fdcc9878
SHA256e74db8ec9e61cb575458a11f2c8e750347a3f50f2e3a0153a7e191ef64923519
SHA512e1da5dbf78aef5ff60d6d6b3961cce297bb0bf96aa51d1f115be1c31110684ecac8585f69c4f1124d712b65b718da0374dc859884fb595d3a9835617bbde8a25
-
Filesize
41KB
MD5686b479b0ee164cf1744a8be359ebb7d
SHA18615e8f967276a85110b198d575982a958581a07
SHA256fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b
SHA5127ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64
-
Filesize
278KB
MD5d9661054ea9d4d7f7169a5e32ba68822
SHA192c469afbc37b46afb9da836cf56fb22e641f8c5
SHA256d806df6405ee274aca0b653a3e55e605fc39cff0dabc4bc3f2241217065b2cef
SHA512b3c0da7738b0a9fb4be3a6537c9c13486dc251a8c65d1e79ac316a7b5d674843ff9501afd9f3ca2fd1edb4f2f17fab18e4e5a3eb93b313d2d70b7c2b47fafade
-
Filesize
349KB
MD565034c476392a35733b9c417d7ff6d5a
SHA19349234986401ead048087f96d9e105343772016
SHA256e1225f280526a772313cebf1047ec836241fd5f70ac9e67dafc1bd1ed6d46479
SHA51235d78126c48aaa0accbedaa332b191b2513cc7a89258c02b58ff3d08e197ee2441641ca4c457dbafd7170cd14ec37bb44243077a316375f42f3d763fd2933ced
-
Filesize
28KB
MD50170e4e883e8d259735e9359081e54df
SHA1e7bd746d436935a8b554ca366dedbc2f3b7b4d71
SHA25622552c2519683ef68f48a46622820aa8b5b0db6d97b75b8cbc0922420a9ff197
SHA5124094d11abcc3d634bb5629e2611b23aab6d2844dd9a0db75ce7a2b586477f853855bc3be3c2c111ccb80b982c0db6ebafe4fa993f923d2e7548200d7abaf3218
-
Filesize
212KB
MD5f047904ae108e80dc9a03228c353bbab
SHA17617b93c30f46ad1399c3854038b4b7b9c0a21f4
SHA256458b268927240e351370be9ce2f97ae661fffc29ff411fddd985939568a14a2d
SHA5124070872c9a29de7da49e19ebe39cd84a4a6cdc9654ed2a74fe4ab3a0907a7c0c2bf92a473fc5f590402c4409d241db580ae3ee726317046eca289f1b8efd901d
-
Filesize
212KB
MD5931b74dd032f5f54b645a0df13795a5a
SHA1ff7bc9e617eda75278ee82ec2b513c5042c646ba
SHA25695584b9c9baec5ceefe9fa7afb24cb187a2523f39bcd95d079b38ea54363b24c
SHA5125ae37ad365653a8654dc01525cf034bde59c6e319a06fc469a0167b4e060ced075e65a0d6ae747df71c4e200f06ebd12c0849a0b2feca50482240528484b75e4
-
Filesize
2KB
MD57f15dc743e1a77874f2f69149b901fdb
SHA194bfc0521adb504789540bf13954a995dadd119e
SHA2562674286d5d7125f3a43b137ed177fd93371554003cd490d255f68df9a81d3917
SHA5123b0b77f370d5b58d8adc5ba3c78f017ac3904422aeaa972b39d8e9a6748b534733e2a01cc24dd6f47920b63975b7f3361d47113c21b8b3ae45de10fce9f929fb