276720cf837ad739f4e5db594b1993af540406bf2077d82814bbd0f91a171d8e

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b9fd9ad4ace6f20860c07d82f42d302_JaffaCakes118.exe
Size

92KB
MD5

5b9fd9ad4ace6f20860c07d82f42d302
SHA1

f0c36d6299d43bbbdc1e74441542f4fb4b46f709
SHA256

276720cf837ad739f4e5db594b1993af540406bf2077d82814bbd0f91a171d8e
SHA512

2133b8effaef92c6db1bc45b3e1ddfea09ab52fea3d6194c7f2ff45df321925c5a5a4f56796f7238113a0fa8b26ca8c54e025c9993db5df7cda6bb012f0a8c4d
SSDEEP

1536:Ne0QgIgRBMi2tAj1Wa543WTg2wqtvacBHUfC82MoXSYnyVy07hFPV5XYBA1+:Ne0Qg/I2jp43WTguU4iu50TYBA4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2192	18E52.exe
2992	18E52.exe
2600	CA42C.exe

Loads dropped DLL 8 IoCs

pid	Process
1528	5b9fd9ad4ace6f20860c07d82f42d302_JaffaCakes118.exe
1528	5b9fd9ad4ace6f20860c07d82f42d302_JaffaCakes118.exe
2992	18E52.exe
2992	18E52.exe
2600	CA42C.exe
2600	CA42C.exe
2600	CA42C.exe
2600	CA42C.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\AV8BS3SF.txt	CA42C.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\GGF8KXMX.txt	CA42C.exe
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	18E52.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	CA42C.exe
File opened for modification	C:\Windows\SysWOW64\18E52.exe	5b9fd9ad4ace6f20860c07d82f42d302_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\JSBDVI14.txt	CA42C.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\AV8BS3SF.txt	CA42C.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\5UY1JPB8.txt	CA42C.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TB75G7B1.htm	CA42C.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\GGF8KXMX.txt	CA42C.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\JSBDVI14.txt	CA42C.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\5UY1JPB8.txt	CA42C.exe
File opened for modification	C:\Windows\SysWOW64\CA42C.exe	18E52.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	CA42C.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	CA42C.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	CA42C.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2A443A5-C3C8-4240-92AA-A9CD17696C50}\WpadDecisionReason = "1"	CA42C.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-83-8c-be-90-b8\WpadDecisionTime = 203002a1c9d9da01	CA42C.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2A443A5-C3C8-4240-92AA-A9CD17696C50}\WpadDecisionTime = 203002a1c9d9da01	CA42C.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2A443A5-C3C8-4240-92AA-A9CD17696C50}\WpadDecision = "0"	CA42C.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	CA42C.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	CA42C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	CA42C.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	CA42C.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0069000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	CA42C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2A443A5-C3C8-4240-92AA-A9CD17696C50}\WpadNetworkName = "Network 2"	CA42C.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-83-8c-be-90-b8	CA42C.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2A443A5-C3C8-4240-92AA-A9CD17696C50}\9a-83-8c-be-90-b8	CA42C.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	CA42C.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	CA42C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	CA42C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	CA42C.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2A443A5-C3C8-4240-92AA-A9CD17696C50}	CA42C.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-83-8c-be-90-b8\WpadDecisionReason = "1"	CA42C.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	CA42C.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	CA42C.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-83-8c-be-90-b8\WpadDecision = "0"	CA42C.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	CA42C.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX, 1"	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	CA42C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	CA42C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	CA42C.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1528	5b9fd9ad4ace6f20860c07d82f42d302_JaffaCakes118.exe
2192	18E52.exe
2992	18E52.exe
2600	CA42C.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2192	1528	5b9fd9ad4ace6f20860c07d82f42d302_JaffaCakes118.exe	30
PID 1528 wrote to memory of 2192	1528	5b9fd9ad4ace6f20860c07d82f42d302_JaffaCakes118.exe	30
PID 1528 wrote to memory of 2192	1528	5b9fd9ad4ace6f20860c07d82f42d302_JaffaCakes118.exe	30
PID 1528 wrote to memory of 2192	1528	5b9fd9ad4ace6f20860c07d82f42d302_JaffaCakes118.exe	30
PID 2192 wrote to memory of 3044	2192	18E52.exe	31
PID 2192 wrote to memory of 3044	2192	18E52.exe	31
PID 2192 wrote to memory of 3044	2192	18E52.exe	31
PID 2192 wrote to memory of 3044	2192	18E52.exe	31
PID 1528 wrote to memory of 2868	1528	5b9fd9ad4ace6f20860c07d82f42d302_JaffaCakes118.exe	33
PID 1528 wrote to memory of 2868	1528	5b9fd9ad4ace6f20860c07d82f42d302_JaffaCakes118.exe	33
PID 1528 wrote to memory of 2868	1528	5b9fd9ad4ace6f20860c07d82f42d302_JaffaCakes118.exe	33
PID 1528 wrote to memory of 2868	1528	5b9fd9ad4ace6f20860c07d82f42d302_JaffaCakes118.exe	33
PID 2192 wrote to memory of 2100	2192	18E52.exe	34
PID 2192 wrote to memory of 2100	2192	18E52.exe	34
PID 2192 wrote to memory of 2100	2192	18E52.exe	34
PID 2192 wrote to memory of 2100	2192	18E52.exe	34
PID 3044 wrote to memory of 1568	3044	cmd.exe	35
PID 3044 wrote to memory of 1568	3044	cmd.exe	35
PID 3044 wrote to memory of 1568	3044	cmd.exe	35
PID 3044 wrote to memory of 1568	3044	cmd.exe	35
PID 2868 wrote to memory of 2752	2868	cmd.exe	38
PID 2868 wrote to memory of 2752	2868	cmd.exe	38
PID 2868 wrote to memory of 2752	2868	cmd.exe	38
PID 2868 wrote to memory of 2752	2868	cmd.exe	38
PID 2100 wrote to memory of 2816	2100	cmd.exe	39
PID 2100 wrote to memory of 2816	2100	cmd.exe	39
PID 2100 wrote to memory of 2816	2100	cmd.exe	39
PID 2100 wrote to memory of 2816	2100	cmd.exe	39
PID 1568 wrote to memory of 2832	1568	net.exe	40
PID 1568 wrote to memory of 2832	1568	net.exe	40
PID 1568 wrote to memory of 2832	1568	net.exe	40
PID 1568 wrote to memory of 2832	1568	net.exe	40
PID 2752 wrote to memory of 2836	2752	net.exe	41
PID 2752 wrote to memory of 2836	2752	net.exe	41
PID 2752 wrote to memory of 2836	2752	net.exe	41
PID 2752 wrote to memory of 2836	2752	net.exe	41
PID 2816 wrote to memory of 2852	2816	net.exe	42
PID 2816 wrote to memory of 2852	2816	net.exe	42
PID 2816 wrote to memory of 2852	2816	net.exe	42
PID 2816 wrote to memory of 2852	2816	net.exe	42
PID 2992 wrote to memory of 2708	2992	18E52.exe	44
PID 2992 wrote to memory of 2708	2992	18E52.exe	44
PID 2992 wrote to memory of 2708	2992	18E52.exe	44
PID 2992 wrote to memory of 2708	2992	18E52.exe	44
PID 2708 wrote to memory of 2896	2708	cmd.exe	46
PID 2708 wrote to memory of 2896	2708	cmd.exe	46
PID 2708 wrote to memory of 2896	2708	cmd.exe	46
PID 2708 wrote to memory of 2896	2708	cmd.exe	46
PID 2896 wrote to memory of 2764	2896	net.exe	47
PID 2896 wrote to memory of 2764	2896	net.exe	47
PID 2896 wrote to memory of 2764	2896	net.exe	47
PID 2896 wrote to memory of 2764	2896	net.exe	47
PID 2992 wrote to memory of 2600	2992	18E52.exe	48
PID 2992 wrote to memory of 2600	2992	18E52.exe	48
PID 2992 wrote to memory of 2600	2992	18E52.exe	48
PID 2992 wrote to memory of 2600	2992	18E52.exe	48

C:\Users\Admin\AppData\Local\Temp\5b9fd9ad4ace6f20860c07d82f42d302_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5b9fd9ad4ace6f20860c07d82f42d302_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\SysWOW64\18E52.exe
  C:\Windows\system32\18E52.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "net start 18E52"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\net.exe
      net start 18E52
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start 18E52
        5⤵
        
        PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "net start 18E52"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\SysWOW64\net.exe
      net start 18E52
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start 18E52
        5⤵
        
        PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "net start 18E52"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\net.exe
    net start 18E52
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start 18E52
      4⤵
      PID:2836

C:\Windows\SysWOW64\18E52.exe
C:\Windows\SysWOW64\18E52.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "net start 18E52"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\net.exe
    net start 18E52
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start 18E52
      4⤵
      PID:2764
- C:\Windows\SysWOW64\CA42C.exe
  C:\Windows\system32\CA42C.exe eee
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\18E52.exe

Filesize
92KB

MD5
5b9fd9ad4ace6f20860c07d82f42d302

SHA1
f0c36d6299d43bbbdc1e74441542f4fb4b46f709

SHA256
276720cf837ad739f4e5db594b1993af540406bf2077d82814bbd0f91a171d8e

SHA512
2133b8effaef92c6db1bc45b3e1ddfea09ab52fea3d6194c7f2ff45df321925c5a5a4f56796f7238113a0fa8b26ca8c54e025c9993db5df7cda6bb012f0a8c4d

Download Submit
\Windows\SysWOW64\CA42C.exe

Filesize
100KB

MD5
afe1b5525ce3d6c14c8c03bf29da5607

SHA1
b789e7785a4b81cb6196bb8b71544d5716dddc64

SHA256
ff76be234730780c6a8e2a3a262f8bf6b9f08ed97230f8bc8a299ae96a2163ed

SHA512
f1523fa1a4e0236d3310c4975e3987fea7f2d4aa20f3978f6d330058538a752c597b2110818f09404e0a2b2c4631460263ec707e960de53587e8c6577a672632

Download Submit
\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
memory/1528-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1528-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1528-12-0x00000000002F0000-0x0000000000335000-memory.dmp

Filesize
276KB

Download
memory/1528-20-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2192-15-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2192-16-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2192-18-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2992-41-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download