782979c3363efffb51a2cbd969c7e108b7132df495b239fef88639c1059a98cf

Analysis

max time kernel
150s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Size

500KB
MD5

2849b60eb790f8127e85d8d6a433846e
SHA1

b9a587a965d3c91bac29d2aa138e3a0680927454
SHA256

782979c3363efffb51a2cbd969c7e108b7132df495b239fef88639c1059a98cf
SHA512

285c0bb8bf6c4f240d282c52351281d56e38e2e46447812b9e8bf663fa8501ae44216301fb3c1fb5324d542523bd1702f60fb135ead0b502ed39b8ff6a9b7a23
SSDEEP

12288:BXNRS8FLnOi1fGB+6uvocZUFy2enYu2vlipnN47s:BXPSYyi1+B+6SDU42eYu2vAcI

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	wuauclts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4840	wuauclts.exe

Loads dropped DLL 3 IoCs

pid	Process
4580	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
4580	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
4840	wuauclts.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4580-0-0x0000000000400000-0x0000000000564000-memory.dmp	upx
behavioral2/memory/4580-1-0x0000000000400000-0x0000000000564000-memory.dmp	upx
behavioral2/files/0x0007000000023480-19.dat	upx
behavioral2/memory/4840-21-0x0000000000400000-0x0000000000564000-memory.dmp	upx
behavioral2/memory/4840-20-0x0000000000400000-0x0000000000564000-memory.dmp	upx
behavioral2/memory/4840-34-0x0000000000400000-0x0000000000564000-memory.dmp	upx
behavioral2/memory/4580-35-0x0000000000400000-0x0000000000564000-memory.dmp	upx

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wuauclts.exe	wuauclts.exe
File created	C:\Windows\SysWOW64\J.bat	wuauclts.exe
File opened for modification	C:\Windows\SysWOW64\wuauclts.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\zlib.dll	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wuauclts.exe	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wuauclts.exe	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zlib.dll	wuauclts.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4580	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
4840	wuauclts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX, 1"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4580	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
4840	wuauclts.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 4840	4580	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe	84
PID 4580 wrote to memory of 4840	4580	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe	84
PID 4580 wrote to memory of 4840	4580	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe	84
PID 4840 wrote to memory of 4948	4840	wuauclts.exe	86
PID 4840 wrote to memory of 4948	4840	wuauclts.exe	86
PID 4840 wrote to memory of 4948	4840	wuauclts.exe	86
PID 4580 wrote to memory of 4952	4580	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe	87
PID 4580 wrote to memory of 4952	4580	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe	87
PID 4580 wrote to memory of 4952	4580	2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe	87
PID 4952 wrote to memory of 3652	4952	cmd.exe	90
PID 4948 wrote to memory of 5104	4948	cmd.exe	91
PID 4952 wrote to memory of 3652	4952	cmd.exe	90
PID 4952 wrote to memory of 3652	4952	cmd.exe	90
PID 4948 wrote to memory of 5104	4948	cmd.exe	91
PID 4948 wrote to memory of 5104	4948	cmd.exe	91

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3652	attrib.exe
5104	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\SysWOW64\wuauclts.exe
  C:\Windows\system32\wuauclts.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\SysWOW64\J.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\wuauclts.exe" -h -r -s
      4⤵
      Drops file in System32 directory
      Views/modifies file attributes
      PID:5104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\2849b60eb790f8127e85d8d6a433846e_JaffaCakes118.exe" -h -r -s
    3⤵
    - Views/modifies file attributes
    PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\J.bat

Filesize
462B

MD5
8c131410578261a7e41cb18914dc767d

SHA1
29f296a1c0924acf9a33eacd6f20f497e0d458f8

SHA256
e7d555822a470e96db627bcf14f50efbd0f7743d826b3dd5b0ecadad7de15fd1

SHA512
c8d20b75fb78f980ba2545dcc110e25a6adf19aac0b51f328db98e0a65228c262edd0373f45f448071bca83036d0537727c74df40e11fcdecf94fdb98a20047a

Download Submit
C:\Windows\SysWOW64\J.bat

Filesize
254B

MD5
dbd9bee5c490ffd969f99cb4e91f4879

SHA1
fc053ea6a715641876cab3d38e0e8b8ea2537a4f

SHA256
045d32fd918ffcf4c9572eaccb466cfac0b47c62ed4db2afb607e02e0f44f5f4

SHA512
5e143d1eb33b563bc4308a23628607844c6f481445b10ef85129cbbeee99dc8b388cc222059156f77e355c9474043fe14a8175d97b895a3812ef2b7816e2d4e1

Download Submit
C:\Windows\SysWOW64\mswinsck.ocx

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\Windows\SysWOW64\wuauclts.exe

Filesize
500KB

MD5
2849b60eb790f8127e85d8d6a433846e

SHA1
b9a587a965d3c91bac29d2aa138e3a0680927454

SHA256
782979c3363efffb51a2cbd969c7e108b7132df495b239fef88639c1059a98cf

SHA512
285c0bb8bf6c4f240d282c52351281d56e38e2e46447812b9e8bf663fa8501ae44216301fb3c1fb5324d542523bd1702f60fb135ead0b502ed39b8ff6a9b7a23

Download Submit
C:\Windows\SysWOW64\zlib.dll

Filesize
52KB

MD5
c88a6474424b1bf960e7ebb4b28d0ed0

SHA1
1405881be65153a661feab43115532f7ec80c077

SHA256
0df0c22bf411ad670d7b8fe5a533e4831313d5a3118cf9216389c642c90ec2f9

SHA512
a4c273f474cf15b86dc038a2bfceb28ee17178de20aa5c17378b15e92159cf70c29549d4e7254ae351d45054e4d15c3b87e5808fad9899f9417864fcb6f14d78

Download Submit
memory/4580-0-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/4580-1-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/4580-35-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/4840-21-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/4840-20-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/4840-34-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download