5cefdfbb585321107802865a914aba9fa9c5ac563942f6bcc032fbfc41789ef2

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe
Size

416KB
MD5

36eaaf126d6b4f7f6eefbc33e2a19f6c
SHA1

8465371a3723b733c3538ee55b7dfe494ae71e2d
SHA256

5cefdfbb585321107802865a914aba9fa9c5ac563942f6bcc032fbfc41789ef2
SHA512

7e04a2ba5d86f2e1c75689152d94571a89e4782cdfa67e1e02465afc9e336f6234cc204468a8ba118486c7928027992133e242b155cb19329da2875fcf0bb33b
SSDEEP

12288:/DLOhQiq/baOtDO5k+XWsJQrrUmhiK2thyHRU:/DuQiqjklWhiTyHRU

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ynS4WJZ6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xtveuh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	ynS4WJZ6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3008	ynS4WJZ6.exe
3020	xtveuh.exe
1188	2aid.exe
3468	2aid.exe
2764	3aid.exe
2876	4aid.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3468-47-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3468-52-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3468-51-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3468-50-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /O"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /Y"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /b"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /w"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /f"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /x"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /X"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /J"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /E"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /i"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /Z"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /A"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /y"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /K"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /W"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /t"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /p"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /u"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /n"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /G"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /s"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /m"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /c"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /q"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /B"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /j"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /o"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /d"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /h"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /D"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /S"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /k"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /T"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /I"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /R"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /M"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /C"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /U"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /N"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /Q"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /a"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /z"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /P"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /a"	ynS4WJZ6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /e"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /F"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /r"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /H"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /L"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /v"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /V"	xtveuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtveuh = "C:\\Users\\Admin\\xtveuh.exe /g"	xtveuh.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1188 set thread context of 3468	1188	2aid.exe	91
PID 2764 set thread context of 3908	2764	3aid.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2816	tasklist.exe
1632	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3008	ynS4WJZ6.exe
3008	ynS4WJZ6.exe
3008	ynS4WJZ6.exe
3008	ynS4WJZ6.exe
3468	2aid.exe
3468	2aid.exe
2764	3aid.exe
2764	3aid.exe
3020	xtveuh.exe
3020	xtveuh.exe
3020	xtveuh.exe
3020	xtveuh.exe
3468	2aid.exe
3468	2aid.exe
3020	xtveuh.exe
3020	xtveuh.exe
3020	xtveuh.exe
3020	xtveuh.exe
3020	xtveuh.exe
3020	xtveuh.exe
3020	xtveuh.exe
3020	xtveuh.exe
3468	2aid.exe
3468	2aid.exe
3468	2aid.exe
3020	xtveuh.exe
3468	2aid.exe
3020	xtveuh.exe
3468	2aid.exe
3468	2aid.exe
3020	xtveuh.exe
3020	xtveuh.exe
3020	xtveuh.exe
3020	xtveuh.exe
3468	2aid.exe
3020	xtveuh.exe
3468	2aid.exe
3020	xtveuh.exe
3468	2aid.exe
3468	2aid.exe
3020	xtveuh.exe
3020	xtveuh.exe
3468	2aid.exe
3468	2aid.exe
3020	xtveuh.exe
3020	xtveuh.exe
3020	xtveuh.exe
3020	xtveuh.exe
3468	2aid.exe
3468	2aid.exe
3020	xtveuh.exe
3020	xtveuh.exe
3468	2aid.exe
3468	2aid.exe
3020	xtveuh.exe
3020	xtveuh.exe
3468	2aid.exe
3468	2aid.exe
3468	2aid.exe
3468	2aid.exe
3468	2aid.exe
3468	2aid.exe
3020	xtveuh.exe
3020	xtveuh.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	tasklist.exe
Token: SeDebugPrivilege	2764	3aid.exe
Token: SeDebugPrivilege	2764	3aid.exe
Token: SeDebugPrivilege	1632	tasklist.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3688	36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe
3008	ynS4WJZ6.exe
3020	xtveuh.exe
1188	2aid.exe
2876	4aid.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 3008	3688	36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe	86
PID 3688 wrote to memory of 3008	3688	36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe	86
PID 3688 wrote to memory of 3008	3688	36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe	86
PID 3008 wrote to memory of 3020	3008	ynS4WJZ6.exe	87
PID 3008 wrote to memory of 3020	3008	ynS4WJZ6.exe	87
PID 3008 wrote to memory of 3020	3008	ynS4WJZ6.exe	87
PID 3688 wrote to memory of 1188	3688	36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe	88
PID 3688 wrote to memory of 1188	3688	36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe	88
PID 3688 wrote to memory of 1188	3688	36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe	88
PID 3008 wrote to memory of 4460	3008	ynS4WJZ6.exe	89
PID 3008 wrote to memory of 4460	3008	ynS4WJZ6.exe	89
PID 3008 wrote to memory of 4460	3008	ynS4WJZ6.exe	89
PID 1188 wrote to memory of 3468	1188	2aid.exe	91
PID 1188 wrote to memory of 3468	1188	2aid.exe	91
PID 1188 wrote to memory of 3468	1188	2aid.exe	91
PID 1188 wrote to memory of 3468	1188	2aid.exe	91
PID 1188 wrote to memory of 3468	1188	2aid.exe	91
PID 1188 wrote to memory of 3468	1188	2aid.exe	91
PID 1188 wrote to memory of 3468	1188	2aid.exe	91
PID 1188 wrote to memory of 3468	1188	2aid.exe	91
PID 4460 wrote to memory of 2816	4460	cmd.exe	92
PID 4460 wrote to memory of 2816	4460	cmd.exe	92
PID 4460 wrote to memory of 2816	4460	cmd.exe	92
PID 3688 wrote to memory of 2764	3688	36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe	94
PID 3688 wrote to memory of 2764	3688	36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe	94
PID 3688 wrote to memory of 2764	3688	36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe	94
PID 2764 wrote to memory of 3908	2764	3aid.exe	95
PID 2764 wrote to memory of 3908	2764	3aid.exe	95
PID 2764 wrote to memory of 3908	2764	3aid.exe	95
PID 2764 wrote to memory of 3908	2764	3aid.exe	95
PID 3688 wrote to memory of 2876	3688	36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe	97
PID 3688 wrote to memory of 2876	3688	36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe	97
PID 3688 wrote to memory of 2876	3688	36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe	97
PID 3688 wrote to memory of 3272	3688	36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe	100
PID 3688 wrote to memory of 3272	3688	36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe	100
PID 3688 wrote to memory of 3272	3688	36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe	100
PID 3272 wrote to memory of 1632	3272	cmd.exe	102
PID 3272 wrote to memory of 1632	3272	cmd.exe	102
PID 3272 wrote to memory of 1632	3272	cmd.exe	102
PID 3020 wrote to memory of 1632	3020	xtveuh.exe	102
PID 3020 wrote to memory of 1632	3020	xtveuh.exe	102

C:\Users\Admin\AppData\Local\Temp\36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Users\Admin\ynS4WJZ6.exe
  C:\Users\Admin\ynS4WJZ6.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\xtveuh.exe
    "C:\Users\Admin\xtveuh.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del ynS4WJZ6.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2816
- C:\Users\Admin\2aid.exe
  C:\Users\Admin\2aid.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Users\Admin\2aid.exe
    "C:\Users\Admin\2aid.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3468
- C:\Users\Admin\3aid.exe
  C:\Users\Admin\3aid.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:3908
- C:\Users\Admin\4aid.exe
  C:\Users\Admin\4aid.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del 36eaaf126d6b4f7f6eefbc33e2a19f6c_JaffaCakes118.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2aid.exe

Filesize
72KB

MD5
bfd48191f79f45416e67efe6a8f25d5d

SHA1
ae31da442af2fe6ef7f960c3a50a3250baeafd8e

SHA256
8271c7ff81aeb4d60ddf9b7c6c5c7e9a391324b999184f79bac6fcd411f804f5

SHA512
2b2ff2c152e6ddf98d5e1043b456f080178a61413aa37a12166759a32a7b8ae98e8adcd90c76d4601c7da1334589fe93e4691e51f90dac70d74e954d06a246b8

Download Submit
C:\Users\Admin\3aid.exe

Filesize
208KB

MD5
914c8e336d83ca18bde8ec3d6dd5d852

SHA1
85fd8a4c0114a421d05ca78be872def090b217b8

SHA256
0061ffc16cd3615e7d30f22a69d65642cb13f55a357da9f379ebe904168bbe5e

SHA512
578e6b94bf576359daf96cc097c5798c9a1b8f3a47ba3f4f0707503ce32f78fafb6f0540a95f2ba311223e14be8f192468a4f3c644fe9cff9198e8ead92c0673

Download Submit
C:\Users\Admin\4aid.exe

Filesize
44KB

MD5
27ddac23e41b3aba1371229bc3114ebe

SHA1
70e7b60767a38a27d22b03415006c5a265fe5e93

SHA256
afa5e7176ef811c85155cb18eed520d12c1bedc2c3e3e1775a197c8a687e3614

SHA512
e18dc372eff827a6590c3ff9a83d428ce2fef6682b9a0ddf667489f5d148472b6f9f6239c4df68eae43c377a4c1f633c45221902044288cdbfdf20708cdd1ebd

Download Submit
C:\Users\Admin\xtveuh.exe

Filesize
292KB

MD5
656e40af89510ee4d45b6a42e285cd30

SHA1
3e15964d797973913a845ec9f9f508834a260490

SHA256
3a5ce5021ecaeffbfbe82e984b7ff190cb5b1045e0a4934c48fce4f6feeb5094

SHA512
5d1a7d44b23c639df9f27cf3e50252ecfad4a8e1810354a4e8e605519a4f87248b7f745f9c533415c75435aac7ec71219b89b7e6a1c17400f9b370d180b483c1

Download Submit
C:\Users\Admin\ynS4WJZ6.exe

Filesize
292KB

MD5
b336ee551b4c80dde9f97aec73ea26bd

SHA1
fb0be70476d28d89187b369bf73a98fb040d9c0b

SHA256
a381f7f881ff01be2dda54067ea7e182044f130b7a69c339968262ec90180649

SHA512
5348846868a3f257c692dda8dfd9b7ddb0a39053de8f2b521dce7964139dbd07f5a5108a2186c491a152d932da8355b98d39babeec712175d9caeb0633784a52

Download Submit
memory/2764-57-0x0000000030670000-0x00000000306A4000-memory.dmp

Filesize
208KB

Download
memory/2764-58-0x0000000030670000-0x00000000306A4000-memory.dmp

Filesize
208KB

Download
memory/3468-47-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3468-52-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3468-51-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3468-50-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download