Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 18:52
Behavioral task
behavioral1
Sample
25df082e988842e1604b5a893572a083_JaffaCakes118.exe
Resource
win7-20240611-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
25df082e988842e1604b5a893572a083_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
25df082e988842e1604b5a893572a083_JaffaCakes118.exe
-
Size
27KB
-
MD5
25df082e988842e1604b5a893572a083
-
SHA1
81327a1c8d18991ef60c56110acfb8112570d41f
-
SHA256
302e1fb8ec674ef0fb742d2bab93d4b3d49e0905c386e3851e6b62cab670babf
-
SHA512
77c29089e618651732cde3da9669c5d45ccca2899dfb77a6b8dc1bab153250032f913b80b40e05553871e7d94de87b08e5720c030c10db3046a0d647e2a4e5f2
-
SSDEEP
768:66nG+h45+XVWTHO/+7BHGOXhKY3UqPNJ3rHF5nV:66ng/F3KdanrB
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, System" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, System" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, System" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, System" system.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system.exe -
Disables RegEdit via registry modification 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system.exe -
Disables Task Manager via registry modification
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpdaterUI.exe\Debugger = "system.exe" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe\Debugger = "system.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe\Debugger = "system.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.exe\Debugger = "system.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSKAGENT.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe\Debugger = "system.exe" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCAGENT.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSKAGENT.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\far.exe\Debugger = "system.exe" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe\Debugger = "system.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\worm2007.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Kav.exe\Debugger = "system.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCAGENT.exe\Debugger = "system.exe" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVFW.exe system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KavPFW.exe system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdss.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe\Debugger = "system.exe" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVFW.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KavPFW.exe\Debugger = "system.exe" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVTIMER.exe\Debugger = "system.exe" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdss.exe system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPLUS.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPLUS.exe\Debugger = "system.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCVSESCN.exe\Debugger = "system.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVTIMER.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXp_1.exe\Debugger = "system.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEProt.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\far.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvsvc32.exe\Debugger = "system.exe" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVTIMER.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Kvsrvxp.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe\Debugger = "system.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTray.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Kvsrvxp.exe\Debugger = "system.exe" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RRfwMain.exe\Debugger = "system.exe" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Kav.exe system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FireTray.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpdaterUI.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "system.exe" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWATCHUI.exe\Debugger = "system.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVMON.exe\Debugger = "system.exe" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Kav.exe\Debugger = "system.exe" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCAPP.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSKAGENT.exe\Debugger = "system.exe" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCAPP.exe\Debugger = "system.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTray.exe system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpdaterUI.exe\Debugger = "system.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe\Debugger = "system.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation system.exe -
Executes dropped EXE 1 IoCs
pid Process 3692 system.exe -
resource yara_rule behavioral2/memory/976-0-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/files/0x00080000000233eb-5.dat upx behavioral2/memory/3692-62-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/976-585-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/3692-725-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/976-1102-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/3692-1239-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/976-1755-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/3692-1756-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/976-2309-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/3692-2310-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/976-2834-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/3692-2982-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/976-3371-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/3692-3509-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/976-4065-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/3692-4066-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/976-4582-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/3692-4700-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/976-5091-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/3692-5221-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/976-5578-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/3692-5726-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/3692-6276-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/976-6273-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/3692-6864-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/976-6853-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/976-7396-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/3692-7522-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/976-7918-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/3692-8048-0x0000000000400000-0x0000000000419000-memory.dmp upx -
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\x: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\o: system.exe File opened (read-only) \??\s: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\e: system.exe File opened (read-only) \??\g: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\j: system.exe File opened (read-only) \??\n: system.exe File opened (read-only) \??\z: system.exe File opened (read-only) \??\p: system.exe File opened (read-only) \??\r: system.exe File opened (read-only) \??\u: system.exe File opened (read-only) \??\i: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\k: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\r: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\v: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\z: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\q: system.exe File opened (read-only) \??\s: system.exe File opened (read-only) \??\j: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\t: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\w: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\l: system.exe File opened (read-only) \??\m: system.exe File opened (read-only) \??\y: system.exe File opened (read-only) \??\e: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\h: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\n: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\h: system.exe File opened (read-only) \??\v: system.exe File opened (read-only) \??\x: system.exe File opened (read-only) \??\p: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\u: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\y: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\t: system.exe File opened (read-only) \??\w: system.exe File opened (read-only) \??\k: system.exe File opened (read-only) \??\l: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\m: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\o: 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened (read-only) \??\g: system.exe File opened (read-only) \??\i: system.exe -
Drops autorun.inf file 1 TTPs 8 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\f:\AUTORUN.INF system.exe File opened for modification \??\c:\AUTORUN.INF 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File created \??\c:\AUTORUN.INF 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened for modification \??\f:\AUTORUN.INF 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File created \??\f:\AUTORUN.INF 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File opened for modification \??\c:\AUTORUN.INF system.exe File created \??\c:\AUTORUN.INF system.exe File opened for modification \??\f:\AUTORUN.INF system.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe File created C:\Windows\system.exe 25df082e988842e1604b5a893572a083_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e387b9b7780e241bd4d2d5013251a2f0000000002000000000010660000000100002000000067b9681be948f92955affea252586ef52fdeaabd501c35e065ba0f861527bf83000000000e800000000200002000000093e219d1eb22acd9c9d724f5803ed367e8cd1e1ea009f63bfaed897d59b0f9332000000048db59ab05cbae6e31c3543f68bf3381c8d874db1d241fd166603d810c653c9340000000a4de9cd19d53ece1061f088da8f9cbdc706d553af5c784c3dc3a6bf07e4182ee48a7df4fb70d70876b27e502f6305fbf5e20322be4726b1d8dd974362ffa11de iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31116867" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e387b9b7780e241bd4d2d5013251a2f000000000200000000001066000000010000200000003d840712c1e61bc417b1225cac4560fa61791fdafc1ee87c85cf0fd0dc2035fa000000000e80000000020000200000006610a1527aa03416977ea909ba05e09daa0082ea7ca5bd02319d02520ffcaa8920000000bbea63afb35d9da3c1bdfdf6c7b0ee7530ae15a2f2912333ac922cec6304aa11400000003efe7133880187be83024aba833091595d6e6c2286985793fa9dff728320c2cb1f854038014442c08ccda73dbfaca4181426b6ee4d6069fe66af0c746d37c88c iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 203cd07643ceda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\New Windows system.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1910546740" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426884146" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\PopupMgr = "0" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\PopupMgr = "0" system.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1912733728" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main system.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116867" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\New Windows 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9D7976EB-3A36-11EF-92F1-5ABC67A14C95} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10f7d47643ceda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1910546740" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116867" IEXPLORE.EXE -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://clickmanu.com" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://clickmanu.com" system.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 25df082e988842e1604b5a893572a083_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 3692 system.exe 3692 system.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 3692 system.exe 3692 system.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 3692 system.exe 3692 system.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 3692 system.exe 3692 system.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 3692 system.exe 3692 system.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 3692 system.exe 3692 system.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 3692 system.exe 3692 system.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 3692 system.exe 3692 system.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 3692 system.exe 3692 system.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 3692 system.exe 3692 system.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 3692 system.exe 3692 system.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 3692 system.exe 3692 system.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 3692 system.exe 3692 system.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 3692 system.exe 3692 system.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 3692 system.exe 3692 system.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Token: SeDebugPrivilege 3692 system.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 5108 iexplore.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe 3316 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 5108 iexplore.exe 5108 iexplore.exe 3660 IEXPLORE.EXE 3660 IEXPLORE.EXE 3660 IEXPLORE.EXE 3660 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 976 wrote to memory of 3692 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 81 PID 976 wrote to memory of 3692 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 81 PID 976 wrote to memory of 3692 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 81 PID 976 wrote to memory of 5108 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 82 PID 976 wrote to memory of 5108 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 82 PID 3692 wrote to memory of 3520 3692 system.exe 83 PID 3692 wrote to memory of 3520 3692 system.exe 83 PID 5108 wrote to memory of 3660 5108 iexplore.exe 84 PID 5108 wrote to memory of 3660 5108 iexplore.exe 84 PID 5108 wrote to memory of 3660 5108 iexplore.exe 84 PID 976 wrote to memory of 3316 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 94 PID 976 wrote to memory of 3316 976 25df082e988842e1604b5a893572a083_JaffaCakes118.exe 94 PID 3316 wrote to memory of 4800 3316 msedge.exe 95 PID 3316 wrote to memory of 4800 3316 msedge.exe 95 PID 3692 wrote to memory of 3432 3692 system.exe 96 PID 3692 wrote to memory of 3432 3692 system.exe 96 PID 3432 wrote to memory of 2872 3432 msedge.exe 97 PID 3432 wrote to memory of 2872 3432 msedge.exe 97 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 3508 3316 msedge.exe 98 PID 3316 wrote to memory of 2752 3316 msedge.exe 99 PID 3316 wrote to memory of 2752 3316 msedge.exe 99 PID 3316 wrote to memory of 3644 3316 msedge.exe 100 PID 3316 wrote to memory of 3644 3316 msedge.exe 100 PID 3316 wrote to memory of 3644 3316 msedge.exe 100 PID 3316 wrote to memory of 3644 3316 msedge.exe 100 -
System policy modification 1 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 25df082e988842e1604b5a893572a083_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25df082e988842e1604b5a893572a083_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\25df082e988842e1604b5a893572a083_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:976 -
C:\Windows\system.exe"C:\Windows\system.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3692 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://70.86.197.82/~ohnishi/ranking/test2.htm3⤵
- Modifies Internet Explorer settings
PID:3520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://clickmanu.com/3⤵
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa042646f8,0x7ffa04264708,0x7ffa042647184⤵PID:2872
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://70.86.197.82/~ohnishi/ranking/test2.htm2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5108 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3660
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://clickmanu.com/2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa042646f8,0x7ffa04264708,0x7ffa042647183⤵PID:4800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,5194974540965761051,14192185440147847479,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:23⤵PID:3508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,5194974540965761051,14192185440147847479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:33⤵PID:2752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,5194974540965761051,14192185440147847479,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:83⤵PID:3644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5194974540965761051,14192185440147847479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:13⤵PID:3840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5194974540965761051,14192185440147847479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:13⤵PID:3460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5194974540965761051,14192185440147847479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:13⤵PID:3648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5194974540965761051,14192185440147847479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:13⤵PID:2820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5194974540965761051,14192185440147847479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:13⤵PID:5072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,5194974540965761051,14192185440147847479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4220 /prefetch:83⤵PID:1216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,5194974540965761051,14192185440147847479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4220 /prefetch:83⤵PID:4468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5194974540965761051,14192185440147847479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:13⤵PID:60
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5194974540965761051,14192185440147847479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:13⤵PID:836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5194974540965761051,14192185440147847479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:13⤵PID:2956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5194974540965761051,14192185440147847479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:13⤵PID:3784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5194974540965761051,14192185440147847479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2716 /prefetch:13⤵PID:2268
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5032
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4524
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
Filesize
152B
MD5f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6
-
Filesize
6KB
MD598a7fd340d08e83579a1fc6c07596e33
SHA1353b8f3eaa3bdafea96b5e7eed9714c0da0de095
SHA256ce1bbded970433e7d7bbb2cddd9515190c93c1e0581596ef6957e49330ba28cb
SHA5121d9ae74d40412b523556d80454320c24453e7bcad27884b7f187eb1b337c0325834474a6ab08f56a0214a7ab23947e2d820e45d4df967669a1b4ce0379188816
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a74773ce-be07-4b27-bdd9-dbc911f5f60b.tmp
Filesize5KB
MD5463998f26584dc33b5aa7b2e36c939bb
SHA10ddde6be1fa60222fdcc55752c53b727ff9b675d
SHA25669f1aa6b486ed4d5aa548686bb26e4764055a496da234675351b31b67e04d8ad
SHA51243462556d95fad53cdffa38248e3bf806cb2528c3c4491f80db444eecaa277b9d9755e62c31d8e4085f776768133babb4a4765eff3b93b79c1b2c0c3a0628c8d
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD567a740d76520c89ee154d671f5c0c466
SHA1b7891f893e4234e9f65d16de9378bb0380083c40
SHA2562f2142ca80a14d4bb0a24c52599d2365581dc32c722f1174ce027e9c9efdea0e
SHA5128cc60366db58befccf4df9a033315bc91d36dfce6ad18e61e6e788d13340c8d1d6af067b1f04c708b3561e24433b831e2b099f53b73f44a49ea028108e3ec3b9
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
27KB
MD525df082e988842e1604b5a893572a083
SHA181327a1c8d18991ef60c56110acfb8112570d41f
SHA256302e1fb8ec674ef0fb742d2bab93d4b3d49e0905c386e3851e6b62cab670babf
SHA51277c29089e618651732cde3da9669c5d45ccca2899dfb77a6b8dc1bab153250032f913b80b40e05553871e7d94de87b08e5720c030c10db3046a0d647e2a4e5f2
-
Filesize
88B
MD5f412d183d2bf78c98805c40c3965ac56
SHA191a224cea616d37a0dcc97f503499125a49439ce
SHA256b06a85db2eb15066b49c1d36cf7ff022aac40708e9af2cbd03d4c1dba5b7e737
SHA5120fc5af9733205524596e2538a4eb54407d52356c26a39492725e4ac16de2223a9fae90f8b1132ef623fada8c5886bc30f03d44d3e6bce183d9a7bd8b2194762a