42abe8d862cc51b6353d1bd5124ad3b288bab75ee28d34353fc99b70f7e3b941

Analysis

max time kernel
146s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe
Size

409KB
MD5

6016477a96fd9762fd7f6f33b6097a13
SHA1

8f8baf87ae8c15fcd6f6eb83a0461a6be171f15e
SHA256

42abe8d862cc51b6353d1bd5124ad3b288bab75ee28d34353fc99b70f7e3b941
SHA512

2b1438c4616254762842586bc45a1e18bcf4d4c2d86cd3bec792be115ccb65bf05cd3387443351e944478a6675bc12917e0d7505e20f437c614bf904c5f9cec1
SSDEEP

12288:D4uoXLAAuseZGoL/rgL4Mzxuyqu97YmQcVSPwUES0:nXseZGO/rPcuyquymQcVSPwdX

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2208	srvsec.exe

Executes dropped EXE 29 IoCs

pid	Process
2208	srvsec.exe
2380	srvsce.exe
2808	srvsec.exe
2636	srvsce.exe
2620	srvsec.exe
2012	srvsce.exe
1412	srvsec.exe
600	srvsce.exe
1672	srvsec.exe
1692	srvsce.exe
2436	srvsec.exe
288	srvsce.exe
772	srvsec.exe
1028	srvsce.exe
740	srvsec.exe
980	srvsce.exe
1936	srvsec.exe
344	srvsce.exe
2120	srvsec.exe
1528	srvsce.exe
2696	srvsec.exe
2812	srvsce.exe
264	srvsec.exe
2644	srvsce.exe
2768	srvsec.exe
2728	srvsce.exe
2736	srvsec.exe
2620	srvsce.exe
1984	srvsec.exe

Loads dropped DLL 58 IoCs

pid	Process
2476	6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe
2476	6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe
2208	srvsec.exe
2208	srvsec.exe
2380	srvsce.exe
2380	srvsce.exe
2808	srvsec.exe
2808	srvsec.exe
2636	srvsce.exe
2636	srvsce.exe
2620	srvsec.exe
2620	srvsec.exe
2012	srvsce.exe
2012	srvsce.exe
1412	srvsec.exe
1412	srvsec.exe
600	srvsce.exe
600	srvsce.exe
1672	srvsec.exe
1672	srvsec.exe
1692	srvsce.exe
1692	srvsce.exe
2436	srvsec.exe
2436	srvsec.exe
288	srvsce.exe
288	srvsce.exe
772	srvsec.exe
772	srvsec.exe
1028	srvsce.exe
1028	srvsce.exe
740	srvsec.exe
740	srvsec.exe
980	srvsce.exe
980	srvsce.exe
1936	srvsec.exe
1936	srvsec.exe
344	srvsce.exe
344	srvsce.exe
2120	srvsec.exe
2120	srvsec.exe
1528	srvsce.exe
1528	srvsce.exe
2696	srvsec.exe
2696	srvsec.exe
2812	srvsce.exe
2812	srvsce.exe
264	srvsec.exe
264	srvsec.exe
2644	srvsce.exe
2644	srvsce.exe
2768	srvsec.exe
2768	srvsec.exe
2728	srvsce.exe
2728	srvsce.exe
2736	srvsec.exe
2736	srvsec.exe
2620	srvsce.exe
2620	srvsce.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2476-0-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/files/0x000d00000001227f-9.dat	upx
behavioral1/memory/2476-11-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2208-12-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2208-18-0x0000000002130000-0x0000000002230000-memory.dmp	upx
behavioral1/memory/2208-27-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2808-41-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2380-40-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2636-55-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2808-54-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2620-69-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2636-68-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2012-83-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2620-82-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/1412-95-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2012-98-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/1412-111-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/1672-126-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/600-125-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/600-122-0x0000000002140000-0x0000000002240000-memory.dmp	upx
behavioral1/memory/1672-139-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/1692-140-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2436-153-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/1692-152-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/288-165-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2436-167-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/772-180-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/288-182-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/1028-193-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/772-192-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/740-200-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/1028-201-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/740-209-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/980-210-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/980-217-0x0000000001EB0000-0x0000000001FB0000-memory.dmp	upx
behavioral1/memory/1936-218-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/980-220-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/1936-228-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/344-236-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2120-244-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2696-252-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/1528-253-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2696-261-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2812-262-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/264-268-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2812-271-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/264-279-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2644-280-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2768-289-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2644-288-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2768-297-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2728-298-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2728-306-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2736-307-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2736-315-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2620-316-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2620-324-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/1984-325-0x0000000000400000-0x0000000000500000-memory.dmp	upx

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe"	6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2208	2476	6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe	30
PID 2476 wrote to memory of 2208	2476	6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe	30
PID 2476 wrote to memory of 2208	2476	6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe	30
PID 2476 wrote to memory of 2208	2476	6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe	30
PID 2208 wrote to memory of 2380	2208	srvsec.exe	32
PID 2208 wrote to memory of 2380	2208	srvsec.exe	32
PID 2208 wrote to memory of 2380	2208	srvsec.exe	32
PID 2208 wrote to memory of 2380	2208	srvsec.exe	32
PID 2380 wrote to memory of 2808	2380	srvsce.exe	33
PID 2380 wrote to memory of 2808	2380	srvsce.exe	33
PID 2380 wrote to memory of 2808	2380	srvsce.exe	33
PID 2380 wrote to memory of 2808	2380	srvsce.exe	33
PID 2808 wrote to memory of 2636	2808	srvsec.exe	34
PID 2808 wrote to memory of 2636	2808	srvsec.exe	34
PID 2808 wrote to memory of 2636	2808	srvsec.exe	34
PID 2808 wrote to memory of 2636	2808	srvsec.exe	34
PID 2636 wrote to memory of 2620	2636	srvsce.exe	35
PID 2636 wrote to memory of 2620	2636	srvsce.exe	35
PID 2636 wrote to memory of 2620	2636	srvsce.exe	35
PID 2636 wrote to memory of 2620	2636	srvsce.exe	35
PID 2620 wrote to memory of 2012	2620	srvsec.exe	36
PID 2620 wrote to memory of 2012	2620	srvsec.exe	36
PID 2620 wrote to memory of 2012	2620	srvsec.exe	36
PID 2620 wrote to memory of 2012	2620	srvsec.exe	36
PID 2012 wrote to memory of 1412	2012	srvsce.exe	37
PID 2012 wrote to memory of 1412	2012	srvsce.exe	37
PID 2012 wrote to memory of 1412	2012	srvsce.exe	37
PID 2012 wrote to memory of 1412	2012	srvsce.exe	37
PID 1412 wrote to memory of 600	1412	srvsec.exe	38
PID 1412 wrote to memory of 600	1412	srvsec.exe	38
PID 1412 wrote to memory of 600	1412	srvsec.exe	38
PID 1412 wrote to memory of 600	1412	srvsec.exe	38
PID 600 wrote to memory of 1672	600	srvsce.exe	39
PID 600 wrote to memory of 1672	600	srvsce.exe	39
PID 600 wrote to memory of 1672	600	srvsce.exe	39
PID 600 wrote to memory of 1672	600	srvsce.exe	39
PID 1672 wrote to memory of 1692	1672	srvsec.exe	40
PID 1672 wrote to memory of 1692	1672	srvsec.exe	40
PID 1672 wrote to memory of 1692	1672	srvsec.exe	40
PID 1672 wrote to memory of 1692	1672	srvsec.exe	40
PID 1692 wrote to memory of 2436	1692	srvsce.exe	41
PID 1692 wrote to memory of 2436	1692	srvsce.exe	41
PID 1692 wrote to memory of 2436	1692	srvsce.exe	41
PID 1692 wrote to memory of 2436	1692	srvsce.exe	41
PID 2436 wrote to memory of 288	2436	srvsec.exe	42
PID 2436 wrote to memory of 288	2436	srvsec.exe	42
PID 2436 wrote to memory of 288	2436	srvsec.exe	42
PID 2436 wrote to memory of 288	2436	srvsec.exe	42
PID 288 wrote to memory of 772	288	srvsce.exe	43
PID 288 wrote to memory of 772	288	srvsce.exe	43
PID 288 wrote to memory of 772	288	srvsce.exe	43
PID 288 wrote to memory of 772	288	srvsce.exe	43
PID 772 wrote to memory of 1028	772	srvsec.exe	44
PID 772 wrote to memory of 1028	772	srvsec.exe	44
PID 772 wrote to memory of 1028	772	srvsec.exe	44
PID 772 wrote to memory of 1028	772	srvsec.exe	44
PID 1028 wrote to memory of 740	1028	srvsce.exe	45
PID 1028 wrote to memory of 740	1028	srvsce.exe	45
PID 1028 wrote to memory of 740	1028	srvsce.exe	45
PID 1028 wrote to memory of 740	1028	srvsce.exe	45
PID 740 wrote to memory of 980	740	srvsec.exe	46
PID 740 wrote to memory of 980	740	srvsec.exe	46
PID 740 wrote to memory of 980	740	srvsec.exe	46
PID 740 wrote to memory of 980	740	srvsec.exe	46

C:\Users\Admin\AppData\Local\Temp\6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\srvsec.exe
  C:\Windows\system32\srvsec.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\srvsce.exe
    C:\Windows\system32\srvsce.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\SysWOW64\srvsec.exe
      C:\Windows\system32\srvsec.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:288
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:344
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:264
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2736
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        30⤵
        Executes dropped EXE
        
        PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\srvsec.exe

Filesize
409KB

MD5
6016477a96fd9762fd7f6f33b6097a13

SHA1
8f8baf87ae8c15fcd6f6eb83a0461a6be171f15e

SHA256
42abe8d862cc51b6353d1bd5124ad3b288bab75ee28d34353fc99b70f7e3b941

SHA512
2b1438c4616254762842586bc45a1e18bcf4d4c2d86cd3bec792be115ccb65bf05cd3387443351e944478a6675bc12917e0d7505e20f437c614bf904c5f9cec1

Download Submit
C:\Windows\SysWOW64\srvsec.ini

Filesize
86B

MD5
609fc767b01e7f44774dc85434bae4c0

SHA1
769057120a9f08225ec6bcf4dd0177eb10cc5493

SHA256
a3a4fee0518e78758e3a85adcfecc98f111d00d0dd84a2543b6ee7f22bd81174

SHA512
b4fcfca2eee32408821999268015a5144e062c12f47409e31aa0ff1132764715d22e82a95fba967dbeae999f21bc7d7294489f6cee865ca5adfc2c8369bc7bad

Download Submit
C:\Windows\SysWOW64\srvsec.ini

Filesize
32B

MD5
5f10d327b2700a1eec22654acb4b86e9

SHA1
fb52b43e074ade17fc71e3f216fbaf697828a76c

SHA256
4c961b6e672f2caeca9f6c6c8bcf2745b2162c2dd8e1ccb8646f0f679c9c7ab7

SHA512
2e1bd111a468edbe00f3ed9fb697433cae1ebf675c7d4ec64a3c9ba20084a9c48032a5b3bb62765a9bd0eb1f3dd4c0ce8e910bb5ef564fcff3c2dd9efff9118d

Download Submit
C:\Windows\SysWOW64\srvsec.ini

Filesize
32B

MD5
7654a0e03e1d1cc268441e2b1177a1c5

SHA1
6640ae091027f7f2f19b1e79059b055a4d1820a2

SHA256
3f0cb5671d0d75a4ccda89a2731412aaf80de2d918b17ff3a059391a42e1c013

SHA512
c7cc20076b70857d2af34e350e2ac0fb0d2d80bb8aa43a5a217ee759b0fc196df98c864ec74a8825001bc409a35b1a963350e41574955db642955654616f65a1

Download Submit
memory/264-268-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/264-279-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/288-182-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/288-165-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/288-178-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/344-236-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/600-122-0x0000000002140000-0x0000000002240000-memory.dmp

Filesize
1024KB

Download
memory/600-125-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/740-200-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/740-209-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/772-192-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/772-180-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/980-210-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/980-217-0x0000000001EB0000-0x0000000001FB0000-memory.dmp

Filesize
1024KB

Download
memory/980-219-0x0000000001EB0000-0x0000000001FB0000-memory.dmp

Filesize
1024KB

Download
memory/980-220-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1028-201-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1028-193-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1412-95-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1412-111-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1528-253-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1672-139-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1672-126-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1692-152-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1692-140-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1936-218-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1936-228-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1984-325-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2012-83-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2012-97-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2012-98-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2120-244-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2208-27-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2208-25-0x0000000002130000-0x0000000002230000-memory.dmp

Filesize
1024KB

Download
memory/2208-12-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2208-18-0x0000000002130000-0x0000000002230000-memory.dmp

Filesize
1024KB

Download
memory/2380-40-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2436-167-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2436-153-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2476-11-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2476-0-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2620-82-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2620-69-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2620-324-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2620-316-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2636-68-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2636-55-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2644-288-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2644-280-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2696-252-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2696-261-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2728-298-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2728-306-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2736-307-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2736-315-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2768-289-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2768-297-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2808-54-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2808-41-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2812-271-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2812-262-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads