782979c3363efffb51a2cbd969c7e108b7132df495b239fef88639c1059a98cf

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Size

500KB
MD5

2849b60eb790f8127e85d8d6a433846e
SHA1

b9a587a965d3c91bac29d2aa138e3a0680927454
SHA256

782979c3363efffb51a2cbd969c7e108b7132df495b239fef88639c1059a98cf
SHA512

285c0bb8bf6c4f240d282c52351281d56e38e2e46447812b9e8bf663fa8501ae44216301fb3c1fb5324d542523bd1702f60fb135ead0b502ed39b8ff6a9b7a23
SSDEEP

12288:BXNRS8FLnOi1fGB+6uvocZUFy2enYu2vlipnN47s:BXPSYyi1+B+6SDU42eYu2vAcI

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\wuauclt.exe	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wuauclt.exe	wuauclt.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wuauclt.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wuauclt.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wuauclt.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wuauclt.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wuauclt.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wuauclt.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wuauclt.exe	attrib.exe
File created	C:\Windows\SysWOW64\drivers\wuauclt.exe	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wuauclt.exe	attrib.exe
File created	C:\Windows\SysWOW64\drivers\J.bat	wuauclt.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wuauclt.exe	attrib.exe

Deletes itself 1 IoCs

pid	Process
2908	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2808	wuauclt.exe

Loads dropped DLL 8 IoCs

pid	Process
2524	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
2524	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
2524	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
2524	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
2524	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
2808	wuauclt.exe
2808	wuauclt.exe
2524	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2524-0-0x0000000000400000-0x0000000000564000-memory.dmp	upx
behavioral1/memory/2524-1-0x0000000000400000-0x0000000000564000-memory.dmp	upx
behavioral1/files/0x0006000000019248-20.dat	upx
behavioral1/memory/2524-48-0x00000000006E0000-0x00000000006F0000-memory.dmp	upx
behavioral1/memory/2524-50-0x0000000000400000-0x0000000000564000-memory.dmp	upx
behavioral1/memory/2808-51-0x0000000000400000-0x0000000000564000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\zlib.dll	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zlib.dll	wuauclt.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2524	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
2808	wuauclt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX, 1"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2524	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
2808	wuauclt.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2808	2524	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2808	2524	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2808	2524	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2808	2524	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe	30
PID 2808 wrote to memory of 2768	2808	wuauclt.exe	31
PID 2808 wrote to memory of 2768	2808	wuauclt.exe	31
PID 2808 wrote to memory of 2768	2808	wuauclt.exe	31
PID 2808 wrote to memory of 2768	2808	wuauclt.exe	31
PID 2524 wrote to memory of 2908	2524	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe	33
PID 2524 wrote to memory of 2908	2524	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe	33
PID 2524 wrote to memory of 2908	2524	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe	33
PID 2524 wrote to memory of 2908	2524	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe	33
PID 2768 wrote to memory of 2640	2768	cmd.exe	35
PID 2768 wrote to memory of 2640	2768	cmd.exe	35
PID 2768 wrote to memory of 2640	2768	cmd.exe	35
PID 2768 wrote to memory of 2640	2768	cmd.exe	35
PID 2768 wrote to memory of 2752	2768	cmd.exe	36
PID 2768 wrote to memory of 2752	2768	cmd.exe	36
PID 2768 wrote to memory of 2752	2768	cmd.exe	36
PID 2768 wrote to memory of 2752	2768	cmd.exe	36
PID 2768 wrote to memory of 2788	2768	cmd.exe	37
PID 2768 wrote to memory of 2788	2768	cmd.exe	37
PID 2768 wrote to memory of 2788	2768	cmd.exe	37
PID 2768 wrote to memory of 2788	2768	cmd.exe	37
PID 2908 wrote to memory of 2868	2908	cmd.exe	38
PID 2908 wrote to memory of 2868	2908	cmd.exe	38
PID 2908 wrote to memory of 2868	2908	cmd.exe	38
PID 2908 wrote to memory of 2868	2908	cmd.exe	38
PID 2768 wrote to memory of 1524	2768	cmd.exe	39
PID 2768 wrote to memory of 1524	2768	cmd.exe	39
PID 2768 wrote to memory of 1524	2768	cmd.exe	39
PID 2768 wrote to memory of 1524	2768	cmd.exe	39
PID 2768 wrote to memory of 2616	2768	cmd.exe	40
PID 2768 wrote to memory of 2616	2768	cmd.exe	40
PID 2768 wrote to memory of 2616	2768	cmd.exe	40
PID 2768 wrote to memory of 2616	2768	cmd.exe	40
PID 2768 wrote to memory of 2612	2768	cmd.exe	41
PID 2768 wrote to memory of 2612	2768	cmd.exe	41
PID 2768 wrote to memory of 2612	2768	cmd.exe	41
PID 2768 wrote to memory of 2612	2768	cmd.exe	41
PID 2768 wrote to memory of 2632	2768	cmd.exe	42
PID 2768 wrote to memory of 2632	2768	cmd.exe	42
PID 2768 wrote to memory of 2632	2768	cmd.exe	42
PID 2768 wrote to memory of 2632	2768	cmd.exe	42
PID 2768 wrote to memory of 2648	2768	cmd.exe	43
PID 2768 wrote to memory of 2648	2768	cmd.exe	43
PID 2768 wrote to memory of 2648	2768	cmd.exe	43
PID 2768 wrote to memory of 2648	2768	cmd.exe	43
PID 2768 wrote to memory of 2680	2768	cmd.exe	44
PID 2768 wrote to memory of 2680	2768	cmd.exe	44
PID 2768 wrote to memory of 2680	2768	cmd.exe	44
PID 2768 wrote to memory of 2680	2768	cmd.exe	44

Views/modifies file attributes 1 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2788	attrib.exe
1524	attrib.exe
2616	attrib.exe
2612	attrib.exe
2680	attrib.exe
2640	attrib.exe
2752	attrib.exe
2868	attrib.exe
2632	attrib.exe
2648	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\drivers\wuauclt.exe
  C:\Windows\system32\drivers\wuauclt.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\SysWOW64\drivers\J.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\drivers\wuauclt.exe" -h -r -s
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2640
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\drivers\wuauclt.exe" -h -r -s
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2752
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\drivers\wuauclt.exe" -h -r -s
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2788
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\drivers\wuauclt.exe" -h -r -s
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1524
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\drivers\wuauclt.exe" -h -r -s
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2616
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\drivers\wuauclt.exe" -h -r -s
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2612
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\drivers\wuauclt.exe" -h -r -s
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2632
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\drivers\wuauclt.exe" -h -r -s
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2648
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\drivers\wuauclt.exe" -h -r -s
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\J.bat" "
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe" -h -r -s
    3⤵
    - Views/modifies file attributes
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\J.bat

Filesize
462B

MD5
8c131410578261a7e41cb18914dc767d

SHA1
29f296a1c0924acf9a33eacd6f20f497e0d458f8

SHA256
e7d555822a470e96db627bcf14f50efbd0f7743d826b3dd5b0ecadad7de15fd1

SHA512
c8d20b75fb78f980ba2545dcc110e25a6adf19aac0b51f328db98e0a65228c262edd0373f45f448071bca83036d0537727c74df40e11fcdecf94fdb98a20047a

Download Submit
C:\Windows\SysWOW64\drivers\J.bat

Filesize
282B

MD5
3da4ce4ba3905f5b8aeb6501ea6b74f4

SHA1
0aaa163766cc8d427f2316665563b120f1d13b79

SHA256
eedec29dd0c8d40a59f0065323136dc13174a5fce6fb48535e8b5b695b57f000

SHA512
7c82a8023844710215aa20db1391e3ba9aecad138c3793115d5d122f5afd33f10053836bdffce777ea19647b679d3cdf74a57026e976a52817360164ffe12db3

Download Submit
C:\Windows\SysWOW64\drivers\wuauclt.exe

Filesize
500KB

MD5
2849b60eb790f8127e85d8d6a433846e

SHA1
b9a587a965d3c91bac29d2aa138e3a0680927454

SHA256
782979c3363efffb51a2cbd969c7e108b7132df495b239fef88639c1059a98cf

SHA512
285c0bb8bf6c4f240d282c52351281d56e38e2e46447812b9e8bf663fa8501ae44216301fb3c1fb5324d542523bd1702f60fb135ead0b502ed39b8ff6a9b7a23

Download Submit
C:\Windows\SysWOW64\zlib.dll

Filesize
52KB

MD5
c88a6474424b1bf960e7ebb4b28d0ed0

SHA1
1405881be65153a661feab43115532f7ec80c077

SHA256
0df0c22bf411ad670d7b8fe5a533e4831313d5a3118cf9216389c642c90ec2f9

SHA512
a4c273f474cf15b86dc038a2bfceb28ee17178de20aa5c17378b15e92159cf70c29549d4e7254ae351d45054e4d15c3b87e5808fad9899f9417864fcb6f14d78

Download Submit
\Windows\SysWOW64\mswinsck.ocx

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
memory/2524-0-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/2524-1-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/2524-48-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/2524-50-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/2808-32-0x0000000001FA0000-0x0000000001FB0000-memory.dmp

Filesize
64KB

Download
memory/2808-51-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download