cc6e88b196518287c511184e2ebf32e7709bbba979ebc76d6330dcc4aca1406b

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Size

299KB
MD5

4bfaaf77df7bf02c19564305cb012ba0
SHA1

a3a62037f51438955a19014140d2a841d3eb2e98
SHA256

cc6e88b196518287c511184e2ebf32e7709bbba979ebc76d6330dcc4aca1406b
SHA512

beb39545c2ba5aea3f023a94aede92da2c8e0675a18cb336b83d9a4b60bfd9f407f3bfa161fb553d2521550dc2494e9f3db79e167d5c5460305aa4f402f5ec53
SSDEEP

6144:/lunfnxAy7wEqvtTzJiXtnQaGUwDKtyaMmYSMlpHBjhQ9PXb15E57:9wJZ2zJ4Q5DmclpHBNcC

Score

8^/10

persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavmonD.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avast.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avast.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvMonXP.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavmonD.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVXP.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvMonXP.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscntfy.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVXP.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscntfy.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\debugger = "IFEOFILE"	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2436	kvnan74server.exe
2428	svohst.exe

Loads dropped DLL 2 IoCs

pid	Process
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svohst.exe	kvnan74server.exe
File opened for modification	C:\Windows\SysWOW64\svohst.exe	kvnan74server.exe
File created	C:\Windows\SysWOW64\svohst.exe	svohst.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	kvnan74server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 2436	852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe	31
PID 852 wrote to memory of 2436	852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe	31
PID 852 wrote to memory of 2436	852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe	31
PID 852 wrote to memory of 2436	852	4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe	31
PID 2436 wrote to memory of 2876	2436	kvnan74server.exe	33
PID 2436 wrote to memory of 2876	2436	kvnan74server.exe	33
PID 2436 wrote to memory of 2876	2436	kvnan74server.exe	33
PID 2436 wrote to memory of 2876	2436	kvnan74server.exe	33

C:\Users\Admin\AppData\Local\Temp\4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4bfaaf77df7bf02c19564305cb012ba0_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852
- C:\Temp\kvnan74server.exe
  "C:\Temp\kvnan74server.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\Deleteme.bat
    3⤵
    PID:2876

C:\Windows\SysWOW64\svohst.exe
C:\Windows\SysWOW64\svohst.exe -NetSata
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deleteme.bat

Filesize
94B

MD5
489dfcfa1bc6fae328366b28863bee41

SHA1
215541c19dd812f6c4c46eb55dcfa94953c9ae70

SHA256
06f1f35d4cd672eb3f9c226bedddc16cd288be294fa82c2034dd61a1873cbdf8

SHA512
04d2f2adfbaa57baa388443677a271d94f1174fc1d543b5f5447066ca838e8f9b6bcb77b9d36da14ad2fba5df12c1b622e3566001158783f69c1660ef0f7edcc

Download Submit
\Temp\kvnan74server.exe

Filesize
476KB

MD5
9683c5af9164dd674242979191e5f710

SHA1
e6e2fbcee33a4cd0e9264e4ff259e38478a1ec2d

SHA256
850174353615b43b7392dec40ab9f27f4afe07d82abacfec690df17a6ef6322f

SHA512
16a97b6bdfa769232e7e17c1585d41a6258f2a4e3b594b0ca7f88ef512fd5237166c64c6b1758c39064e622224ff5df187a7ff27b51b4782605ef65292ecd3fc

Download Submit
memory/852-0-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/852-13-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2428-18-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2428-21-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2436-16-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2436-20-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download