42abe8d862cc51b6353d1bd5124ad3b288bab75ee28d34353fc99b70f7e3b941

Analysis

max time kernel
147s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe
Size

409KB
MD5

6016477a96fd9762fd7f6f33b6097a13
SHA1

8f8baf87ae8c15fcd6f6eb83a0461a6be171f15e
SHA256

42abe8d862cc51b6353d1bd5124ad3b288bab75ee28d34353fc99b70f7e3b941
SHA512

2b1438c4616254762842586bc45a1e18bcf4d4c2d86cd3bec792be115ccb65bf05cd3387443351e944478a6675bc12917e0d7505e20f437c614bf904c5f9cec1
SSDEEP

12288:D4uoXLAAuseZGoL/rgL4Mzxuyqu97YmQcVSPwUES0:nXseZGO/rPcuyquymQcVSPwdX

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4324	srvsec.exe

Executes dropped EXE 29 IoCs

pid	Process
4324	srvsec.exe
1048	srvsce.exe
4816	srvsec.exe
3728	srvsce.exe
1440	srvsec.exe
1300	srvsce.exe
2816	srvsec.exe
2844	srvsce.exe
4092	srvsec.exe
1084	srvsce.exe
4268	srvsec.exe
2480	srvsce.exe
4844	srvsec.exe
3296	srvsce.exe
916	srvsec.exe
1048	srvsce.exe
1344	srvsec.exe
2596	srvsce.exe
4916	srvsec.exe
4220	srvsce.exe
688	srvsec.exe
220	srvsce.exe
4648	srvsec.exe
1940	srvsce.exe
4800	srvsec.exe
2988	srvsce.exe
4368	srvsec.exe
1288	srvsce.exe
2036	srvsec.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3552-0-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/files/0x000900000002349a-4.dat	upx
behavioral2/memory/3552-7-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/4324-15-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/1048-23-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/4816-22-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/4816-31-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/1440-38-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/3728-40-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/1440-48-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/1300-55-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/2816-62-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/2844-70-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/4092-78-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/1084-86-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/4268-94-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/2480-95-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/2480-103-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/4844-110-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/3296-118-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/916-119-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/916-127-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/1048-135-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/1344-143-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/2596-151-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/4916-158-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/4220-167-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/688-175-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/220-180-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/4648-185-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/1940-190-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/4800-195-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/2988-200-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/4368-204-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/1288-209-0x0000000000400000-0x0000000000500000-memory.dmp	upx

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe"	6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsec.exe"	srvsec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKEY_SECURITY = "C:\\Windows\\SysWOW64\\srvsce.exe"	srvsce.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsce.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsce.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.exe	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsec.exe
File opened for modification	C:\Windows\SysWOW64\srvsec.ini	srvsce.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 4324	3552	6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe	91
PID 3552 wrote to memory of 4324	3552	6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe	91
PID 3552 wrote to memory of 4324	3552	6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe	91
PID 4324 wrote to memory of 1048	4324	srvsec.exe	94
PID 4324 wrote to memory of 1048	4324	srvsec.exe	94
PID 4324 wrote to memory of 1048	4324	srvsec.exe	94
PID 1048 wrote to memory of 4816	1048	srvsce.exe	96
PID 1048 wrote to memory of 4816	1048	srvsce.exe	96
PID 1048 wrote to memory of 4816	1048	srvsce.exe	96
PID 4816 wrote to memory of 3728	4816	srvsec.exe	97
PID 4816 wrote to memory of 3728	4816	srvsec.exe	97
PID 4816 wrote to memory of 3728	4816	srvsec.exe	97
PID 3728 wrote to memory of 1440	3728	srvsce.exe	98
PID 3728 wrote to memory of 1440	3728	srvsce.exe	98
PID 3728 wrote to memory of 1440	3728	srvsce.exe	98
PID 1440 wrote to memory of 1300	1440	srvsec.exe	100
PID 1440 wrote to memory of 1300	1440	srvsec.exe	100
PID 1440 wrote to memory of 1300	1440	srvsec.exe	100
PID 1300 wrote to memory of 2816	1300	srvsce.exe	103
PID 1300 wrote to memory of 2816	1300	srvsce.exe	103
PID 1300 wrote to memory of 2816	1300	srvsce.exe	103
PID 2816 wrote to memory of 2844	2816	srvsec.exe	104
PID 2816 wrote to memory of 2844	2816	srvsec.exe	104
PID 2816 wrote to memory of 2844	2816	srvsec.exe	104
PID 2844 wrote to memory of 4092	2844	srvsce.exe	105
PID 2844 wrote to memory of 4092	2844	srvsce.exe	105
PID 2844 wrote to memory of 4092	2844	srvsce.exe	105
PID 4092 wrote to memory of 1084	4092	srvsec.exe	106
PID 4092 wrote to memory of 1084	4092	srvsec.exe	106
PID 4092 wrote to memory of 1084	4092	srvsec.exe	106
PID 1084 wrote to memory of 4268	1084	srvsce.exe	107
PID 1084 wrote to memory of 4268	1084	srvsce.exe	107
PID 1084 wrote to memory of 4268	1084	srvsce.exe	107
PID 4268 wrote to memory of 2480	4268	srvsec.exe	108
PID 4268 wrote to memory of 2480	4268	srvsec.exe	108
PID 4268 wrote to memory of 2480	4268	srvsec.exe	108
PID 2480 wrote to memory of 4844	2480	srvsce.exe	109
PID 2480 wrote to memory of 4844	2480	srvsce.exe	109
PID 2480 wrote to memory of 4844	2480	srvsce.exe	109
PID 4844 wrote to memory of 3296	4844	srvsec.exe	111
PID 4844 wrote to memory of 3296	4844	srvsec.exe	111
PID 4844 wrote to memory of 3296	4844	srvsec.exe	111
PID 3296 wrote to memory of 916	3296	srvsce.exe	112
PID 3296 wrote to memory of 916	3296	srvsce.exe	112
PID 3296 wrote to memory of 916	3296	srvsce.exe	112
PID 916 wrote to memory of 1048	916	srvsec.exe	113
PID 916 wrote to memory of 1048	916	srvsec.exe	113
PID 916 wrote to memory of 1048	916	srvsec.exe	113
PID 1048 wrote to memory of 1344	1048	srvsce.exe	114
PID 1048 wrote to memory of 1344	1048	srvsce.exe	114
PID 1048 wrote to memory of 1344	1048	srvsce.exe	114
PID 1344 wrote to memory of 2596	1344	srvsec.exe	115
PID 1344 wrote to memory of 2596	1344	srvsec.exe	115
PID 1344 wrote to memory of 2596	1344	srvsec.exe	115
PID 2596 wrote to memory of 4916	2596	srvsce.exe	116
PID 2596 wrote to memory of 4916	2596	srvsce.exe	116
PID 2596 wrote to memory of 4916	2596	srvsce.exe	116
PID 4916 wrote to memory of 4220	4916	srvsec.exe	121
PID 4916 wrote to memory of 4220	4916	srvsec.exe	121
PID 4916 wrote to memory of 4220	4916	srvsec.exe	121
PID 4220 wrote to memory of 688	4220	srvsce.exe	126
PID 4220 wrote to memory of 688	4220	srvsce.exe	126
PID 4220 wrote to memory of 688	4220	srvsce.exe	126
PID 688 wrote to memory of 220	688	srvsec.exe	127

C:\Users\Admin\AppData\Local\Temp\6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6016477a96fd9762fd7f6f33b6097a13_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Windows\SysWOW64\srvsec.exe
  C:\Windows\system32\srvsec.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\SysWOW64\srvsce.exe
    C:\Windows\system32\srvsce.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\SysWOW64\srvsec.exe
      C:\Windows\system32\srvsec.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4816
    - - C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3728
      - C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:220
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4648
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4800
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\srvsce.exe
        
        C:\Windows\system32\srvsce.exe
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1288
        
        C:\Windows\SysWOW64\srvsec.exe
        
        C:\Windows\system32\srvsec.exe
        30⤵
        Executes dropped EXE
        
        PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\srvsec.exe

Filesize
409KB

MD5
6016477a96fd9762fd7f6f33b6097a13

SHA1
8f8baf87ae8c15fcd6f6eb83a0461a6be171f15e

SHA256
42abe8d862cc51b6353d1bd5124ad3b288bab75ee28d34353fc99b70f7e3b941

SHA512
2b1438c4616254762842586bc45a1e18bcf4d4c2d86cd3bec792be115ccb65bf05cd3387443351e944478a6675bc12917e0d7505e20f437c614bf904c5f9cec1

Download Submit
C:\Windows\SysWOW64\srvsec.ini

Filesize
86B

MD5
609fc767b01e7f44774dc85434bae4c0

SHA1
769057120a9f08225ec6bcf4dd0177eb10cc5493

SHA256
a3a4fee0518e78758e3a85adcfecc98f111d00d0dd84a2543b6ee7f22bd81174

SHA512
b4fcfca2eee32408821999268015a5144e062c12f47409e31aa0ff1132764715d22e82a95fba967dbeae999f21bc7d7294489f6cee865ca5adfc2c8369bc7bad

Download Submit
C:\Windows\SysWOW64\srvsec.ini

Filesize
32B

MD5
5f10d327b2700a1eec22654acb4b86e9

SHA1
fb52b43e074ade17fc71e3f216fbaf697828a76c

SHA256
4c961b6e672f2caeca9f6c6c8bcf2745b2162c2dd8e1ccb8646f0f679c9c7ab7

SHA512
2e1bd111a468edbe00f3ed9fb697433cae1ebf675c7d4ec64a3c9ba20084a9c48032a5b3bb62765a9bd0eb1f3dd4c0ce8e910bb5ef564fcff3c2dd9efff9118d

Download Submit
C:\Windows\SysWOW64\srvsec.ini

Filesize
32B

MD5
7654a0e03e1d1cc268441e2b1177a1c5

SHA1
6640ae091027f7f2f19b1e79059b055a4d1820a2

SHA256
3f0cb5671d0d75a4ccda89a2731412aaf80de2d918b17ff3a059391a42e1c013

SHA512
c7cc20076b70857d2af34e350e2ac0fb0d2d80bb8aa43a5a217ee759b0fc196df98c864ec74a8825001bc409a35b1a963350e41574955db642955654616f65a1

Download Submit
memory/220-180-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/688-175-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/916-127-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/916-119-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1048-135-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1048-23-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1084-86-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1288-209-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1300-55-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1344-143-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1440-48-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1440-38-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1940-190-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2480-103-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2480-95-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2596-151-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2816-62-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2844-70-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2988-200-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/3296-118-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/3552-0-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/3552-7-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/3728-40-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4092-78-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4220-167-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4268-94-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4324-15-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4368-204-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4648-185-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4800-195-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4816-31-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4816-22-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4844-110-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4916-158-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads