Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 04:22
Behavioral task
behavioral1
Sample
249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
-
Size
875KB
-
MD5
249dbef48619781b75f151813e0acbd2
-
SHA1
52b12d1d695f19b8074b117802d4caa9d0f7fd6d
-
SHA256
6ea5c80473298c65dfb9cbe106aa440e725be596c910eab729182c5d3d87ad4e
-
SHA512
ac1b6cc4c540e916fcf404a6c2eb5c93948b7fc217dfbce38b4dabda2fd010d4bf53f702070fccd49c96f4ad5782ffe510ca642f7c5900758ce07359825bb0ad
-
SSDEEP
24576:B5T0kUJQDdHVFQlyOW8oooiAhYJWtA7q:B53UEHVFQAp5iAOgtAG
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" cthost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Ww9OoYLk.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fakaw.exe -
ModiLoader Second Stage 10 IoCs
resource yara_rule behavioral1/memory/1800-12-0x0000000000400000-0x0000000000535000-memory.dmp modiloader_stage2 behavioral1/memory/1800-14-0x0000000000400000-0x0000000000535000-memory.dmp modiloader_stage2 behavioral1/memory/2084-9-0x0000000000400000-0x000000000041F000-memory.dmp modiloader_stage2 behavioral1/files/0x0034000000015662-44.dat modiloader_stage2 behavioral1/memory/2584-69-0x0000000000400000-0x000000000041E000-memory.dmp modiloader_stage2 behavioral1/files/0x0008000000015b85-71.dat modiloader_stage2 behavioral1/memory/2156-89-0x0000000000400000-0x000000000041E000-memory.dmp modiloader_stage2 behavioral1/memory/1800-111-0x0000000000240000-0x00000000002A6000-memory.dmp modiloader_stage2 behavioral1/memory/1800-139-0x0000000000400000-0x0000000000535000-memory.dmp modiloader_stage2 behavioral1/memory/1800-389-0x0000000000400000-0x0000000000535000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 2176 cmd.exe -
Executes dropped EXE 13 IoCs
pid Process 2560 Ww9OoYLk.exe 2532 fakaw.exe 2584 athost.exe 1556 athost.exe 2156 bthost.exe 1488 bthost.exe 2320 cthost.exe 1236 dthost.exe 336 csrss.exe 1804 ethost.exe 884 cthost.exe 2840 cthost.exe 1852 A860.tmp -
Loads dropped DLL 19 IoCs
pid Process 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 2560 Ww9OoYLk.exe 2560 Ww9OoYLk.exe 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 2320 cthost.exe 2748 DllHost.exe 2320 cthost.exe 2320 cthost.exe 1852 A860.tmp -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1800-2-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/1800-12-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/1800-14-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/1800-11-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/1800-5-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/1800-3-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/1488-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1488-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1488-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1488-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1488-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1488-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1800-111-0x0000000000240000-0x00000000002A6000-memory.dmp upx behavioral1/memory/1800-139-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/884-192-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1800-389-0x0000000000400000-0x0000000000535000-memory.dmp upx -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /h" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /S" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /j" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /W" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /x" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /k" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /Z" Ww9OoYLk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /q" fakaw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\87C.exe = "C:\\Program Files (x86)\\LP\\A6F9\\87C.exe" cthost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /u" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /t" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /i" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /J" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /m" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /P" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /D" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /M" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /C" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /f" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /p" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /E" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /n" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /B" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /G" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /l" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /A" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /Y" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /V" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /L" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /Z" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /r" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /K" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /I" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /O" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /b" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /X" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /T" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /v" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /a" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /y" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /s" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /R" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /H" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /w" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /U" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /d" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /N" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /c" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /o" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /F" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /e" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /Q" fakaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /z" fakaw.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 bthost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum athost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 athost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum bthost.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2084 set thread context of 1800 2084 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 28 PID 2584 set thread context of 1556 2584 athost.exe 36 PID 2156 set thread context of 1488 2156 bthost.exe 38 PID 1236 set thread context of 2972 1236 dthost.exe 43 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\A6F9\87C.exe cthost.exe File opened for modification C:\Program Files (x86)\LP\A6F9\A860.tmp cthost.exe File opened for modification C:\Program Files (x86)\LP\A6F9\87C.exe cthost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2672 tasklist.exe 1980 tasklist.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2560 Ww9OoYLk.exe 2560 Ww9OoYLk.exe 1556 athost.exe 1556 athost.exe 1556 athost.exe 1488 bthost.exe 2532 fakaw.exe 2320 cthost.exe 2320 cthost.exe 2320 cthost.exe 2320 cthost.exe 2320 cthost.exe 2320 cthost.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 1236 dthost.exe 1236 dthost.exe 1236 dthost.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 1556 athost.exe 1556 athost.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 1556 athost.exe 1556 athost.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 1556 athost.exe 1556 athost.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 1556 athost.exe 1556 athost.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 2532 fakaw.exe 1556 athost.exe 1556 athost.exe 2532 fakaw.exe 2532 fakaw.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1184 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2672 tasklist.exe Token: SeRestorePrivilege 1896 msiexec.exe Token: SeTakeOwnershipPrivilege 1896 msiexec.exe Token: SeSecurityPrivilege 1896 msiexec.exe Token: SeDebugPrivilege 1236 dthost.exe Token: SeDebugPrivilege 1236 dthost.exe Token: SeShutdownPrivilege 1184 explorer.exe Token: SeShutdownPrivilege 1184 explorer.exe Token: SeShutdownPrivilege 1184 explorer.exe Token: SeShutdownPrivilege 1184 explorer.exe Token: SeShutdownPrivilege 1184 explorer.exe Token: SeShutdownPrivilege 1184 explorer.exe Token: SeShutdownPrivilege 1184 explorer.exe Token: SeShutdownPrivilege 1184 explorer.exe Token: SeShutdownPrivilege 1184 explorer.exe Token: SeShutdownPrivilege 1184 explorer.exe Token: SeShutdownPrivilege 1184 explorer.exe Token: SeShutdownPrivilege 1184 explorer.exe Token: SeDebugPrivilege 1980 tasklist.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe 1184 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 2560 Ww9OoYLk.exe 2532 fakaw.exe 1804 ethost.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 336 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2084 wrote to memory of 1800 2084 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 28 PID 2084 wrote to memory of 1800 2084 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 28 PID 2084 wrote to memory of 1800 2084 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 28 PID 2084 wrote to memory of 1800 2084 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 28 PID 2084 wrote to memory of 1800 2084 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 28 PID 2084 wrote to memory of 1800 2084 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 28 PID 2084 wrote to memory of 1800 2084 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 28 PID 2084 wrote to memory of 1800 2084 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 28 PID 1800 wrote to memory of 2560 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 29 PID 1800 wrote to memory of 2560 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 29 PID 1800 wrote to memory of 2560 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 29 PID 1800 wrote to memory of 2560 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 29 PID 2560 wrote to memory of 2532 2560 Ww9OoYLk.exe 30 PID 2560 wrote to memory of 2532 2560 Ww9OoYLk.exe 30 PID 2560 wrote to memory of 2532 2560 Ww9OoYLk.exe 30 PID 2560 wrote to memory of 2532 2560 Ww9OoYLk.exe 30 PID 2560 wrote to memory of 2600 2560 Ww9OoYLk.exe 31 PID 2560 wrote to memory of 2600 2560 Ww9OoYLk.exe 31 PID 2560 wrote to memory of 2600 2560 Ww9OoYLk.exe 31 PID 2560 wrote to memory of 2600 2560 Ww9OoYLk.exe 31 PID 2600 wrote to memory of 2672 2600 cmd.exe 33 PID 2600 wrote to memory of 2672 2600 cmd.exe 33 PID 2600 wrote to memory of 2672 2600 cmd.exe 33 PID 2600 wrote to memory of 2672 2600 cmd.exe 33 PID 1800 wrote to memory of 2584 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 35 PID 1800 wrote to memory of 2584 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 35 PID 1800 wrote to memory of 2584 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 35 PID 1800 wrote to memory of 2584 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 35 PID 2584 wrote to memory of 1556 2584 athost.exe 36 PID 2584 wrote to memory of 1556 2584 athost.exe 36 PID 2584 wrote to memory of 1556 2584 athost.exe 36 PID 2584 wrote to memory of 1556 2584 athost.exe 36 PID 2584 wrote to memory of 1556 2584 athost.exe 36 PID 2584 wrote to memory of 1556 2584 athost.exe 36 PID 2584 wrote to memory of 1556 2584 athost.exe 36 PID 2584 wrote to memory of 1556 2584 athost.exe 36 PID 2584 wrote to memory of 1556 2584 athost.exe 36 PID 2584 wrote to memory of 1556 2584 athost.exe 36 PID 1800 wrote to memory of 2156 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 37 PID 1800 wrote to memory of 2156 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 37 PID 1800 wrote to memory of 2156 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 37 PID 1800 wrote to memory of 2156 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 37 PID 2156 wrote to memory of 1488 2156 bthost.exe 38 PID 2156 wrote to memory of 1488 2156 bthost.exe 38 PID 2156 wrote to memory of 1488 2156 bthost.exe 38 PID 2156 wrote to memory of 1488 2156 bthost.exe 38 PID 2156 wrote to memory of 1488 2156 bthost.exe 38 PID 2156 wrote to memory of 1488 2156 bthost.exe 38 PID 2156 wrote to memory of 1488 2156 bthost.exe 38 PID 2156 wrote to memory of 1488 2156 bthost.exe 38 PID 1800 wrote to memory of 2320 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 39 PID 1800 wrote to memory of 2320 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 39 PID 1800 wrote to memory of 2320 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 39 PID 1800 wrote to memory of 2320 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 39 PID 1800 wrote to memory of 1236 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 42 PID 1800 wrote to memory of 1236 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 42 PID 1800 wrote to memory of 1236 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 42 PID 1800 wrote to memory of 1236 1800 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 42 PID 1236 wrote to memory of 336 1236 dthost.exe 2 PID 1236 wrote to memory of 2972 1236 dthost.exe 43 PID 1236 wrote to memory of 2972 1236 dthost.exe 43 PID 1236 wrote to memory of 2972 1236 dthost.exe 43 PID 1236 wrote to memory of 2972 1236 dthost.exe 43 PID 1236 wrote to memory of 2972 1236 dthost.exe 43 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cthost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" cthost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
PID:336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:856
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵PID:2476
-
-
C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\Ww9OoYLk.exeC:\Users\Admin\Ww9OoYLk.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\fakaw.exe"C:\Users\Admin\fakaw.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2532
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del Ww9OoYLk.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
-
-
C:\Users\Admin\athost.exeC:\Users\Admin\athost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\athost.exeathost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1556
-
-
-
C:\Users\Admin\bthost.exeC:\Users\Admin\bthost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\bthost.exebthost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1488
-
-
-
C:\Users\Admin\cthost.exeC:\Users\Admin\cthost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2320 -
C:\Users\Admin\cthost.exeC:\Users\Admin\cthost.exe startC:\Users\Admin\AppData\Roaming\9B659\D1CA6.exe%C:\Users\Admin\AppData\Roaming\9B6594⤵
- Executes dropped EXE
PID:884
-
-
C:\Users\Admin\cthost.exeC:\Users\Admin\cthost.exe startC:\Program Files (x86)\596D1\lvvm.exe%C:\Program Files (x86)\596D14⤵
- Executes dropped EXE
PID:2840
-
-
C:\Program Files (x86)\LP\A6F9\A860.tmp"C:\Program Files (x86)\LP\A6F9\A860.tmp"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1852
-
-
-
C:\Users\Admin\dthost.exeC:\Users\Admin\dthost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:2972
-
-
-
C:\Users\Admin\ethost.exeC:\Users\Admin\ethost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1804
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe3⤵
- Deletes itself
PID:2176 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Loads dropped DLL
PID:2748
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1184
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1000
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD5a1d80ed250788260ffd66258555a4876
SHA110b81c2cdc4a7d645f9058c220587fac79281351
SHA256d4d9a7028cda13828d7a6796dd12369ab1d4af80946776aa5b5c0369dd322fb3
SHA512fee72d46425a0c1f755de2e34ad742ff579a86b2a3bff3485a15ddcbcf55d60c6297bb588650a9a673aa0a5e8f35f1ae0bc1a454154d26848c49cab700d7e5d8
-
Filesize
300B
MD5e45be71728108bb60fffab4e5c7ca894
SHA185f3196cbea99749a9c97c5b91ee81815aea2281
SHA25645e22bae28dbd2ee88875d1b1f5902e60f94fd4eb890fef737fa72736707b8cc
SHA5121bcc051a013b71ca1a796e7df88e7b9038b6b02bfccdc734be4d46de4a6d30071dc0b52e61d587ef55ea07023425f362abc39b6b370c6d4db5445efe5341de20
-
Filesize
600B
MD5342018eddf1c77499f16ab55858e0d14
SHA15c5d23b9e9c8985e5254d8a5c9847902dbda8398
SHA2568a5488142e5a547406af14a300ee830d0a851524384c57714453548eaf0b1da0
SHA51259b9414ccd4084d8cf94a297c3deb11e4bf64d5090228f44c1991944a41d2dea778a274ba48a0ec6651a288e7aa631ff41462b2e11c045e6654b651e9ba9f7bc
-
Filesize
996B
MD55991fd0a7ae8b59a79aa2bbf4effa7b3
SHA1e1aad0b35d5ecda670601733618b3c4d980b8e78
SHA25660180bc77c402f37156d24c594bd591c8674d3f87303fecced98ee71d475d491
SHA5120303cb7af1b857160488e0beba30c9226982b71eae79a490212a61deb787485db6f1b662ecea762891a5d3e710326a35baee437d252e21d60c90c23dbca97d99
-
Filesize
1KB
MD5bee630f26ea16dbe3ce8474b963bd3f7
SHA1cbf060820de42799f7ea227e08c32bd4c4a8b31d
SHA256a4c66b47fe270db94e7923a4b8236c48c1d14dddeb85b011175009f350e58f09
SHA5123e40fd3d396cfbf1207cee191df595307704e3d01ba63a22c795270353e5947064a113c117214465ed59bb8183a7e5a9cee56acb70d605df9509178944e863eb
-
Filesize
53KB
MD563e99b675a1337db6d8430195ea3efd2
SHA11baead2bf8f433dc82f9b2c03fd65ce697a92155
SHA2566616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9
SHA512f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f
-
Filesize
2KB
MD52d3859106b87661fabf9d7ae40bd604b
SHA1657ccc00aed425da01f7eaaabdd69b1508f03b6c
SHA2568b5a40c4ea1ffd62b2fc8efa8d1a581eced6e9d852851cf5d631a9f10d8c434d
SHA5125954196264e2b63a7be470dec99ff6421fd745e2e152339831769de981a364bb4c9518a6eb445b7634b56868bbd06b51feb542e26d3c34198c07fb365f0f527e
-
Filesize
256KB
MD577e425fe955cbc4b6245cf8a3ed645b3
SHA1921dad95a28283f2138e8c36d4cbf295572d33ac
SHA25686b35dd61f186218356ecced37723e647b612cb8c44ef904917f4c783e424809
SHA512ee0a6ac25c021baf6974a23afd999bcdd519da465ee849ebd52d99ff437812165650fe8f05e5ff72f6eadf8d5a44d5c7c73853e4d5e00f8fbab45444fd56a44b
-
Filesize
263KB
MD56b7d559166467ef651497836feef65e3
SHA19edda6cd07a1960ba52abe17fc7402ff93d44ce6
SHA2566151ab998d7821e147551b5ff24b11d3194c207c3ff8322fe2e2860a8b978bb0
SHA512d58ddfe8ce3b9f4092d554713502065c351a46251ff0ce126dd05528771cd727bf636f15a4c76224d8db22117234d39b1a2bf8030b55aadcf98087a5a1814356
-
Filesize
153KB
MD5f28e94ce33674d8cf13f31bb5f20f745
SHA1e79332b18af7b31caa195956c23303d35c2808c8
SHA25642f40ac82f47f4eb009dbd11d7233ed2e67f80392dd4fa770faa68dd973ded2f
SHA5128bcb1311302bbf1b6cfbbb863cffa95d5934c9bfc613cd2dc2abd425fe39ad2ec9cae7dca1e5b60d2acec4c9d422a35aeb5ab7b0433f25c01202ab3b4ca96112
-
Filesize
278KB
MD5d0bf4ea3b6fc02afd2c6ed5f4b0d142e
SHA12187968df184c18f945497dd410f90f4b6ff186d
SHA2563c7ee6117b9c2e39593f452e163f16334ab1b9196b5b5616c9ff7496bb4676a0
SHA512e0efb8672a81a8aa6c11a0f1f871033b10c6a5c6b28d30eab4f8ef7509fca8710c417b9cbbbf7844888f02858295304c23bf217e41d157e2bed594a39c2641f4
-
Filesize
227KB
MD5d39d17b38909180b0c65cb4081154100
SHA1b7a11d389d940273b91dd9ddb11137404eedceea
SHA256590aaa3add5efffd271c2b9cfc10fc304faf6caf83f2f9dd494a40a35b1053d3
SHA5125a0ccc785b15e92d38bf1436522dbe81645d2b16093f20f09dfd81602e9f496693a6b27a62f88e50cdf027147b89a21db1e15532d0d4e7c2fd65710ee2071fa6
-
Filesize
24KB
MD5b38b2a8c25efb39b245dbfa6c1ccc29b
SHA162fda766006bfbccbfaade649ceb29764c216ea4
SHA2561fee129dadbd67f7fab68c8fa285b5da0141785100b35bc7b66d55b10d24364d
SHA5128cdbb4e9404783ad4a2665a05a1e64e8ab393689c2425834e854933f58904910e248dfebc57c717313abbc62105d76875ebafd206ada15417beedd58bbd7e22d
-
Filesize
256KB
MD561a971a895bf0998a053844d7b956901
SHA17f981da3d2891e79394cda0382223e71c16828b0
SHA2563069fb395ec2772638ca9c584abb97ab756c0ed86faa37e6d5a823a56e333161
SHA512af5fdd221dd76e304f7daac44d8bafe2d20aa3a70b11f18c2474de6386bab38c0be47f5651709739ac1638056c2e6a40def6337a4bb96bd9f1a2f57eedd37079
-
Filesize
4KB
MD5758f90d425814ea5a1d2694e44e7e295
SHA164d61731255ef2c3060868f92f6b81b4c9b5fe29
SHA256896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433
SHA51211858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9
-
Filesize
5KB
MD592f9cdae857253a3895faffa85b3d8b9
SHA1d28352ff5a02eeb98334e3d0f845a259b2aacff3
SHA2565653db84679ab49eec2e32127271dacd802b8ed53a5199c5fd5fe998be32a36b
SHA512f23ec0a005b5d84d26527cd6c26d494b9ecff4b099adfd780fe7953f5affb0f295f92dc663d79bcb60d42f82d249b7e61acb39a38bdbd66185da5bf6126737a6