Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 08:53
Static task
static1
Behavioral task
behavioral1
Sample
340d8df768269411ee6196e347585b68_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
340d8df768269411ee6196e347585b68_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
340d8df768269411ee6196e347585b68_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
340d8df768269411ee6196e347585b68
-
SHA1
c9a828abe5fbf97f3593c9797c4fb7142e4b482d
-
SHA256
893ce8410fb15a7802523f033f4abdffd8ef35c1a2342199e6c09c54173dff9d
-
SHA512
e03a0ba6521f2b30da8cc7c6948af23bfbfb4d532a605187d607cac6810e3c9161dd4f1a4f2d3f4b36709c8ba349831daae8cc44ae7cfc74657c18a25fbfa182
-
SSDEEP
49152:fHqjfedt0TY2oHtMYQ0M/pBi1tR6TRJLu:Wfedt0TYH+0M/pBmkTjLu
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ = "Macromedia Shockwave Flash" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Locale = "EN" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Version = "8.0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ComponentID = "Flash" msiexec.exe -
Loads dropped DLL 8 IoCs
pid Process 1340 MsiExec.exe 1340 MsiExec.exe 1340 MsiExec.exe 1340 MsiExec.exe 1340 MsiExec.exe 1340 MsiExec.exe 2756 340d8df768269411ee6196e347585b68_JaffaCakes118.exe 2756 340d8df768269411ee6196e347585b68_JaffaCakes118.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2540 msiexec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\Macromed\Flash\Flash8.ocx msiexec.exe File created C:\Windows\SysWOW64\Macromed\Flash\GetFlash.exe msiexec.exe File created C:\Windows\SysWOW64\Macromed\Flash\GetFlash.exe.manifest msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\Installer\f77284b.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\f77284b.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI2EF6.tmp msiexec.exe File opened for modification C:\Windows\Installer\f772848.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI29FF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2C13.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2C14.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2CF0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2DBC.tmp msiexec.exe File created C:\Windows\Installer\f77284d.msi msiexec.exe File created C:\Windows\Installer\f772848.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 340d8df768269411ee6196e347585b68_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 340d8df768269411ee6196e347585b68_JaffaCakes118.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000} msiexec.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ = "Shockwave Flash Object" MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FlashProp.FlashProp\CurVer MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash8.ocx\\2" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib\Version = "1.0" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FlashProp.FlashProp MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashProp.FlashProp\CurVer\ = "FlashProp.FlashProp.1" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\ = "Macromedia Flash Factory Object" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.mfp MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32\ = "C:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash8.ocx" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\Version = "1.0" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\Programmable MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\HELPDIR MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\ = "Shockwave Flash Object" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\ = "Shockwave Flash Object" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\FLAGS\ = "0" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\0\win32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\ = "Macromedia Flash Factory Object" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\ = "Shockwave Flash Object" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.spl MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mfp\ = "MacromediaFlashPaper.MacromediaFlashPaper" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer\ = "ShockwaveFlash.ShockwaveFlash.8" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sol\Content Type = "text/plain" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\ = "Shockwave Flash Object" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\ = "FlashAccessibility" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.swf MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\FLAGS MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID\ = "FlashFactory.FlashFactory.1" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.swf\Content Type = "application/x-shockwave-flash" MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2540 msiexec.exe 2540 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2904 msiexec.exe Token: SeIncreaseQuotaPrivilege 2904 msiexec.exe Token: SeRestorePrivilege 2540 msiexec.exe Token: SeTakeOwnershipPrivilege 2540 msiexec.exe Token: SeSecurityPrivilege 2540 msiexec.exe Token: SeCreateTokenPrivilege 2904 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2904 msiexec.exe Token: SeLockMemoryPrivilege 2904 msiexec.exe Token: SeIncreaseQuotaPrivilege 2904 msiexec.exe Token: SeMachineAccountPrivilege 2904 msiexec.exe Token: SeTcbPrivilege 2904 msiexec.exe Token: SeSecurityPrivilege 2904 msiexec.exe Token: SeTakeOwnershipPrivilege 2904 msiexec.exe Token: SeLoadDriverPrivilege 2904 msiexec.exe Token: SeSystemProfilePrivilege 2904 msiexec.exe Token: SeSystemtimePrivilege 2904 msiexec.exe Token: SeProfSingleProcessPrivilege 2904 msiexec.exe Token: SeIncBasePriorityPrivilege 2904 msiexec.exe Token: SeCreatePagefilePrivilege 2904 msiexec.exe Token: SeCreatePermanentPrivilege 2904 msiexec.exe Token: SeBackupPrivilege 2904 msiexec.exe Token: SeRestorePrivilege 2904 msiexec.exe Token: SeShutdownPrivilege 2904 msiexec.exe Token: SeDebugPrivilege 2904 msiexec.exe Token: SeAuditPrivilege 2904 msiexec.exe Token: SeSystemEnvironmentPrivilege 2904 msiexec.exe Token: SeChangeNotifyPrivilege 2904 msiexec.exe Token: SeRemoteShutdownPrivilege 2904 msiexec.exe Token: SeUndockPrivilege 2904 msiexec.exe Token: SeSyncAgentPrivilege 2904 msiexec.exe Token: SeEnableDelegationPrivilege 2904 msiexec.exe Token: SeManageVolumePrivilege 2904 msiexec.exe Token: SeImpersonatePrivilege 2904 msiexec.exe Token: SeCreateGlobalPrivilege 2904 msiexec.exe Token: SeRestorePrivilege 2540 msiexec.exe Token: SeTakeOwnershipPrivilege 2540 msiexec.exe Token: SeRestorePrivilege 2540 msiexec.exe Token: SeTakeOwnershipPrivilege 2540 msiexec.exe Token: SeRestorePrivilege 2540 msiexec.exe Token: SeTakeOwnershipPrivilege 2540 msiexec.exe Token: SeRestorePrivilege 2540 msiexec.exe Token: SeTakeOwnershipPrivilege 2540 msiexec.exe Token: SeRestorePrivilege 2540 msiexec.exe Token: SeTakeOwnershipPrivilege 2540 msiexec.exe Token: SeRestorePrivilege 2540 msiexec.exe Token: SeTakeOwnershipPrivilege 2540 msiexec.exe Token: SeRestorePrivilege 2540 msiexec.exe Token: SeTakeOwnershipPrivilege 2540 msiexec.exe Token: SeRestorePrivilege 2540 msiexec.exe Token: SeTakeOwnershipPrivilege 2540 msiexec.exe Token: SeRestorePrivilege 2540 msiexec.exe Token: SeTakeOwnershipPrivilege 2540 msiexec.exe Token: SeRestorePrivilege 2540 msiexec.exe Token: SeTakeOwnershipPrivilege 2540 msiexec.exe Token: SeRestorePrivilege 2540 msiexec.exe Token: SeTakeOwnershipPrivilege 2540 msiexec.exe Token: SeRestorePrivilege 2540 msiexec.exe Token: SeTakeOwnershipPrivilege 2540 msiexec.exe Token: SeRestorePrivilege 2540 msiexec.exe Token: SeTakeOwnershipPrivilege 2540 msiexec.exe Token: SeRestorePrivilege 2540 msiexec.exe Token: SeTakeOwnershipPrivilege 2540 msiexec.exe Token: SeRestorePrivilege 2540 msiexec.exe Token: SeTakeOwnershipPrivilege 2540 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2756 340d8df768269411ee6196e347585b68_JaffaCakes118.exe 2756 340d8df768269411ee6196e347585b68_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2904 2756 340d8df768269411ee6196e347585b68_JaffaCakes118.exe 30 PID 2756 wrote to memory of 2904 2756 340d8df768269411ee6196e347585b68_JaffaCakes118.exe 30 PID 2756 wrote to memory of 2904 2756 340d8df768269411ee6196e347585b68_JaffaCakes118.exe 30 PID 2756 wrote to memory of 2904 2756 340d8df768269411ee6196e347585b68_JaffaCakes118.exe 30 PID 2756 wrote to memory of 2904 2756 340d8df768269411ee6196e347585b68_JaffaCakes118.exe 30 PID 2756 wrote to memory of 2904 2756 340d8df768269411ee6196e347585b68_JaffaCakes118.exe 30 PID 2756 wrote to memory of 2904 2756 340d8df768269411ee6196e347585b68_JaffaCakes118.exe 30 PID 2540 wrote to memory of 1340 2540 msiexec.exe 32 PID 2540 wrote to memory of 1340 2540 msiexec.exe 32 PID 2540 wrote to memory of 1340 2540 msiexec.exe 32 PID 2540 wrote to memory of 1340 2540 msiexec.exe 32 PID 2540 wrote to memory of 1340 2540 msiexec.exe 32 PID 2540 wrote to memory of 1340 2540 msiexec.exe 32 PID 2540 wrote to memory of 1340 2540 msiexec.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\340d8df768269411ee6196e347585b68_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\340d8df768269411ee6196e347585b68_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\IFViewer\3210711948\FP.msi" /Q2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Boot or Logon Autostart Execution: Active Setup
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DBAD0E81128112A7DE245C966EFC4E272⤵
- Loads dropped DLL
- Modifies registry class
PID:1340
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5daaf72cb84a9d198cf4876278e01dc48
SHA1bcb5d972c060175e6b58959063b16482a3ca7f6d
SHA256a5ac925fa7650149f9967b559f6b17a9e3a13400564c090d5a47c6672a2671d4
SHA5125d5891fecd3f41dc889be10e7df40104667c979d6c7de281130788b619d329275f8785e760db9ef9922f9077a20079c4c9bf03db6e4020bc21d2d24068689fab
-
Filesize
397B
MD51558c7133098a2f21a33b189f8134299
SHA19340efa292ffc561036165a6d6578bdffcef11f5
SHA2560d69fbb9c0d1a609986f11ab226c7f60a141db9d09d96a41542bb0bf9322eb9b
SHA5127339d19f23f78371656629fef6a44c94631fda1bcc1ced07774c4e5dcf9a969311cbc4fea22a17630d6249a1fe9558370d960cba7639abbb787c4b8e03deec61
-
Filesize
392B
MD5531a7d7a940f817bdd8f432f9faec78e
SHA1acd9188cc4126b60859e16142a06db4bc74de0ce
SHA2566fc66063f8c26ddafbe161acfd0a5bb10d562a5b6e27f9dc66847806ea0de240
SHA5128d055fbedb852f8b4ff0807dfd5c0fe63d45c27c1edd5f1edbf2d6647c214fa5ed45a3ff67d93a08f9e55a753fa5237e19b54d59d4168c7a605c1021cff128a5
-
Filesize
386B
MD52357e7b2a591b85b9d1f492d39e4c894
SHA1d917b0a2e35547d913b51c0ad9103b7514c02a73
SHA25690a5c2612a1a3a5e35de806f56d9520c457a4605d104f596c330e143cbe8fa71
SHA5125f2f2d186b8ec882b44a9e6a116e2869f99740d66dc1ec498ecb8e7cae8b5ad9a7babac416133cae61165713b5aa429b5c2490cc3f03b8c5af879b6fb81456f7
-
Filesize
1.6MB
MD5ec72ab0a198db9fa267a110095aff70a
SHA17ace4d0b2799efddea2ebeaa687feb84583711ce
SHA256086075830772885fe24607bcf8ecd186a1d706f7f57436aed2175667a3cdfaf7
SHA512cc4d92b629bde79686aa180323f57aab99861733b6be163b0419616b636aac8999e7ee5c14595a69daa98365848116a10d5e472e4490ff84622247ba437e0339
-
Filesize
5KB
MD5987b70002a8334d3f2d1ac7cfdf408d8
SHA11e2bc822dfdf08a6cb0afb9fefd49f12e486679e
SHA2561677357b0b7a7bffa468a4a2b7b0d5fdf6b539b89fdda8d67c04552f56252acf
SHA512f5c98b104f1b7f3ee39bb52d6b26f03a7250569b4a9197ac4fc1e269e475ddee96b25e25d2bc664a65f613b5a4a2003aede44d17c53572b0bc5245ebbeae5e98
-
Filesize
80KB
MD5f6a6b99623d80fc8e10d04a82f61a806
SHA1fa1d7586ec148d4caf5f4258bc6a495c28b5955f
SHA256adb43809b9d164a220cf80045fcbb4aabd665f83715ac05def245ede8e0f1355
SHA512812bf82bb81a576c4079c27460d18b9fe02457a49715c93ede665c3070a000144585ca779df1083a8ca84ff5a42ad50f70ae9d31a058da1c05b0e1766f6555ec
-
Filesize
104KB
MD541c809ec8fd59ffcbfff35da8d9cf41b
SHA1c6e8b1ef8fcd49ac88ce097157beaeff4d7468e2
SHA256fe9b3c74f09a6c66dab66269550f277c8aa82c7e93b5e9963a116c44619d55b2
SHA512e51ecdba17d0aa037ea6e229e66879e50317b677e2b4760a4dcb7883ab49598b3b166e9b26dcfab5a1904373d70af6234899092bc7a614b9fca14cfbed0ad42d
-
Filesize
1.4MB
MD5900373c059c2b51ca91bf110dbdecb33
SHA1102b086d6054c2cea813ef316ce24440c458762b
SHA25631453fd8f743c19e27f8fa04ee88dfebe95a7884cdfbc15ab0eb8994829aad61
SHA512b17d68cd1e4f1c2fcc7f07de657af144302d4a0cb7b6a0d6bbed4fcd39227481abae73df2d59bf13a31a47b2b6aba820182881b43e638aa00da75ba6b94adbfe
-
Filesize
96KB
MD51341a69debce0f53dc57699e736d191f
SHA15ba09963911dc0ea44c4c64015448149588d232d
SHA2565cc04a7ceb1841324c8e2b95a0365c6a38dec7db364fbb09ae5089cdc175302c
SHA512f117f746125100b0c2c58116615a615fe1cc6becfdf7d3ef5981b1cb044b623962d2da89a6cab8ee50967de8e7e239dab009db33a68ef0e15f9bd03738e20bba