Overview
overview
10Static
static
3494b4a4f6f...18.exe
windows7-x64
3494b4a4f6f...18.exe
windows10-2004-x64
10$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Unlocker.exe
windows7-x64
1Unlocker.exe
windows10-2004-x64
1UnlockerAssistant.exe
windows7-x64
1UnlockerAssistant.exe
windows10-2004-x64
1UnlockerCOM.dll
windows7-x64
1UnlockerCOM.dll
windows10-2004-x64
1UnlockerDriver5.sys
windows7-x64
1UnlockerDriver5.sys
windows10-2004-x64
1UnlockerHook.dll
windows7-x64
1UnlockerHook.dll
windows10-2004-x64
1eBay_short...16.exe
windows7-x64
7eBay_short...16.exe
windows10-2004-x64
3eBayShortcuts.exe
windows7-x64
1eBayShortcuts.exe
windows10-2004-x64
3uninst.exe
windows7-x64
3uninst.exe
windows10-2004-x64
10$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2024, 09:57
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
11 signatures
150 seconds
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240704-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral5
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240705-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral6
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral9
Sample
Unlocker.exe
Resource
win7-20240705-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral10
Sample
Unlocker.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral11
Sample
UnlockerAssistant.exe
Resource
win7-20240705-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral12
Sample
UnlockerAssistant.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral13
Sample
UnlockerCOM.dll
Resource
win7-20240704-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral14
Sample
UnlockerCOM.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral15
Sample
UnlockerDriver5.sys
Resource
win7-20240708-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral16
Sample
UnlockerDriver5.sys
Resource
win10v2004-20240709-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral17
Sample
UnlockerHook.dll
Resource
win7-20240705-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral18
Sample
UnlockerHook.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral19
Sample
eBay_shortcuts_1016.exe
Resource
win7-20240705-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral20
Sample
eBay_shortcuts_1016.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral21
Sample
eBayShortcuts.exe
Resource
win7-20240704-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral22
Sample
eBayShortcuts.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral23
Sample
uninst.exe
Resource
win7-20240704-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral24
Sample
uninst.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
8 signatures
150 seconds
Behavioral task
behavioral25
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240704-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral26
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral27
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240705-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral28
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
-
Size
297KB
-
MD5
494b4a4f6f9fc3d298619519417bac4a
-
SHA1
c1e1bda6a632ae178386b89da3a3d15d97ef9bca
-
SHA256
d4979877d317ac3ee167239f647f6a55a821cfac7875528e3bbecb7110f2f60b
-
SHA512
b81e78488654f27fb9c8725e4f0c1555eefabe8958a72dd36a90362689aebc990213f4aafc082baebe6f6683082aad0a7bac62365ca3854df36598db4e33f320
-
SSDEEP
6144:+O9jt6wZu8OGauB794zlvkuymdzXZIwaUPT3Pbkx:oQauB794zny3wpPbbkx
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe -
Loads dropped DLL 2 IoCs
pid Process 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/1936-14-0x00000000022B0000-0x00000000032DA000-memory.dmp upx behavioral2/memory/1936-16-0x00000000022B0000-0x00000000032DA000-memory.dmp upx behavioral2/memory/1936-7-0x00000000022B0000-0x00000000032DA000-memory.dmp upx behavioral2/memory/1936-23-0x00000000022B0000-0x00000000032DA000-memory.dmp upx behavioral2/memory/1936-109-0x00000000022B0000-0x00000000032DA000-memory.dmp upx behavioral2/memory/1936-141-0x00000000022B0000-0x00000000032DA000-memory.dmp upx behavioral2/memory/1936-143-0x00000000022B0000-0x00000000032DA000-memory.dmp upx behavioral2/memory/1936-145-0x00000000022B0000-0x00000000032DA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe Token: SeDebugPrivilege 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1936 wrote to memory of 788 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 9 PID 1936 wrote to memory of 792 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 10 PID 1936 wrote to memory of 1012 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 13 PID 1936 wrote to memory of 2484 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 42 PID 1936 wrote to memory of 2504 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 43 PID 1936 wrote to memory of 2856 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 50 PID 1936 wrote to memory of 3500 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 56 PID 1936 wrote to memory of 3672 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 57 PID 1936 wrote to memory of 3852 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 58 PID 1936 wrote to memory of 3948 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 59 PID 1936 wrote to memory of 4016 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 60 PID 1936 wrote to memory of 2784 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 61 PID 1936 wrote to memory of 3692 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 62 PID 1936 wrote to memory of 476 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 64 PID 1936 wrote to memory of 4036 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 75 PID 1936 wrote to memory of 2760 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 80 PID 1936 wrote to memory of 1584 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 81 PID 1936 wrote to memory of 788 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 9 PID 1936 wrote to memory of 792 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 10 PID 1936 wrote to memory of 1012 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 13 PID 1936 wrote to memory of 2484 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 42 PID 1936 wrote to memory of 2504 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 43 PID 1936 wrote to memory of 2856 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 50 PID 1936 wrote to memory of 3500 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 56 PID 1936 wrote to memory of 3672 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 57 PID 1936 wrote to memory of 3852 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 58 PID 1936 wrote to memory of 3948 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 59 PID 1936 wrote to memory of 4016 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 60 PID 1936 wrote to memory of 2784 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 61 PID 1936 wrote to memory of 3692 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 62 PID 1936 wrote to memory of 476 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 64 PID 1936 wrote to memory of 4036 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 75 PID 1936 wrote to memory of 2760 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 80 PID 1936 wrote to memory of 2256 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 84 PID 1936 wrote to memory of 2684 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 85 PID 1936 wrote to memory of 788 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 9 PID 1936 wrote to memory of 792 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 10 PID 1936 wrote to memory of 1012 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 13 PID 1936 wrote to memory of 2484 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 42 PID 1936 wrote to memory of 2504 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 43 PID 1936 wrote to memory of 2856 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 50 PID 1936 wrote to memory of 3500 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 56 PID 1936 wrote to memory of 3672 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 57 PID 1936 wrote to memory of 3852 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 58 PID 1936 wrote to memory of 3948 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 59 PID 1936 wrote to memory of 4016 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 60 PID 1936 wrote to memory of 2784 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 61 PID 1936 wrote to memory of 3692 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 62 PID 1936 wrote to memory of 476 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 64 PID 1936 wrote to memory of 4036 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 75 PID 1936 wrote to memory of 2760 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 80 PID 1936 wrote to memory of 2256 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 84 PID 1936 wrote to memory of 2684 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 85 PID 1936 wrote to memory of 2324 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 86 PID 1936 wrote to memory of 2324 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 86 PID 1936 wrote to memory of 2324 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 86 PID 1936 wrote to memory of 2324 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 86 PID 1936 wrote to memory of 560 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 87 PID 1936 wrote to memory of 560 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 87 PID 1936 wrote to memory of 560 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 87 PID 1936 wrote to memory of 560 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 87 PID 1936 wrote to memory of 1280 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 88 PID 1936 wrote to memory of 1280 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 88 PID 1936 wrote to memory of 1280 1936 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe 88 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1012
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2504
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2856
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3500
-
C:\Users\Admin\AppData\Local\Temp\494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\494b4a4f6f9fc3d298619519417bac4a_JaffaCakes118.exe"2⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1936 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:2324
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:560
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:1280
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:4704
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:5024
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:3560
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:1040
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:872
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:3848
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:2812
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:1696
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:1236
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:2036
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:1152
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:1020
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:1332
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3672
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3852
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3948
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4016
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2784
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3692
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:476
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4036
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2760
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1584
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2256
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD507f3b3445f66e1089567796bf3c8be78
SHA1851eb574c1067b23a654f8aa47b17ef599b24d1c
SHA256a505e6c537a5ce0166227dda9f7671605395592ac9f1a3764e8a01b713939db1
SHA5128c56308fff3a947b26fd0d98dbdd96c406ddf967f5d7abee8cba082b6c46a4e575094bb0bb981551ac5160bb5089cf6fb125dd17a659c427e28c07402adab1c3
-
Filesize
5KB
MD52c3c8976d729d28478a789217a882291
SHA110c18b23fac957419547ef0f8ec3bc1b10e91e79
SHA256799f91bdd59f2133bf195c5b4ca685ee91666d981a6bcd8a6c45b7c8ecc96eef
SHA512749c650974f94cc5009124d3fa3d9bb1ee5824a3fa0a76b81733e08379678a2a1b7c54b77d1709fb6de24c81c68c03c0ec3e9ec5ccad0d30d9237300794f1213
-
Filesize
696B
MD53ae54338f041d2ce4a56067b611ff32b
SHA1fc6f45e62217d190dcd45e2c15718e2541a3669c
SHA2561a983dbd14cd2407bb3df98ab266c1c72fecc2029aa2fac823101805bd7e0f4c
SHA512d40c10cf14574271a376e15abf8473098ec0470e6b255150a64fda54301c2dea8d393909f1a9dc307d1f4fc5661ce34772f6e3ebc4f0f35b29893f3b7e86e899