Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24/07/2024, 00:58
Behavioral task
behavioral1
Sample
69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
69a8abd71b135b53dbae1c43076902c1
-
SHA1
d9f5c3c92f1996a972d2a8e2cbfa494a2598d960
-
SHA256
14935216d45b2e4a4c0883237dadcd4489a2ab1b1e9908f1f54d383523a47012
-
SHA512
cf06bf6501c0e0124d75189f47e80abd13295377718861d2c584e0b7a8c7d3d17a8713fa9b4a494aa2cafd239613cb6581c4a747c2e2fddedf56c82c8ef71655
-
SSDEEP
24576:0J94Ob3Cx0i0o6zsday2COaHVHn/e6af4fVjbHomTOyzdI/CMgDb:0Jzyx0bsS2HVHn/VafeVjsuOkdI/M
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 8 IoCs
pid Process 4572 netsh.exe 3904 netsh.exe 4756 netsh.exe 1592 netsh.exe 3704 netsh.exe 4104 netsh.exe 1544 netsh.exe 4768 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/2612-0-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/2612-76-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/2612-104-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/2612-105-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/2612-106-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/2612-107-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/2612-108-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/2612-109-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/2612-110-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/2612-111-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/2612-112-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/2612-113-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/2612-114-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/2612-115-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/2612-116-0x0000000000400000-0x0000000000496000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2612-76-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/memory/2612-104-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/memory/2612-105-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/memory/2612-106-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/memory/2612-107-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/memory/2612-108-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/memory/2612-109-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/memory/2612-110-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/memory/2612-111-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/memory/2612-112-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/memory/2612-113-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/memory/2612-114-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/memory/2612-115-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/memory/2612-116-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe -
Drops file in Windows directory 28 IoCs
description ioc Process File opened for modification C:\Windows\Debug\l0gs\firefox.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\vc++2012sp0_64bit.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\JAVA_64bit_8u281.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\_NET351SP0.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\SCRIPT.5.7.0.16535.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\vc++2012sp0_32bit.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\vc++2008sp1_64bit.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\locals.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\_NET20SP0.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\_NET20SP2.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\_NET40_cli.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\WMP_12.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\W10_SP0.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\dummy.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\vc++2010sp1_32bit.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\downloads\ITx_updater.ini 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\_NET30SP0.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\_NET30SP2.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\EU_font.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\vc++2010sp1_64bit.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\_NET_2_3_351.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\vc++2008sp1_32bit.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\_NET351SP1.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\_Adobe_11.0.0.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\chrome.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\_NET480.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\IE11.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe File opened for modification C:\Windows\Debug\l0gs\MSI_45.log 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe -
Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs
pid Process 1544 netsh.exe 3000 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 3252 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3252 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2612 wrote to memory of 3104 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 87 PID 2612 wrote to memory of 3104 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 87 PID 2612 wrote to memory of 3104 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 87 PID 3104 wrote to memory of 3704 3104 cmd.exe 89 PID 3104 wrote to memory of 3704 3104 cmd.exe 89 PID 3104 wrote to memory of 3704 3104 cmd.exe 89 PID 2612 wrote to memory of 4900 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 90 PID 2612 wrote to memory of 4900 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 90 PID 2612 wrote to memory of 4900 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 90 PID 4900 wrote to memory of 4104 4900 cmd.exe 92 PID 4900 wrote to memory of 4104 4900 cmd.exe 92 PID 4900 wrote to memory of 4104 4900 cmd.exe 92 PID 2612 wrote to memory of 3000 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 93 PID 2612 wrote to memory of 3000 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 93 PID 2612 wrote to memory of 3000 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 93 PID 3000 wrote to memory of 1544 3000 cmd.exe 95 PID 3000 wrote to memory of 1544 3000 cmd.exe 95 PID 3000 wrote to memory of 1544 3000 cmd.exe 95 PID 2612 wrote to memory of 3964 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 96 PID 2612 wrote to memory of 3964 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 96 PID 2612 wrote to memory of 3964 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 96 PID 3964 wrote to memory of 4768 3964 cmd.exe 98 PID 3964 wrote to memory of 4768 3964 cmd.exe 98 PID 3964 wrote to memory of 4768 3964 cmd.exe 98 PID 2612 wrote to memory of 4388 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 101 PID 2612 wrote to memory of 4388 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 101 PID 2612 wrote to memory of 4388 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 101 PID 4388 wrote to memory of 4572 4388 cmd.exe 103 PID 4388 wrote to memory of 4572 4388 cmd.exe 103 PID 4388 wrote to memory of 4572 4388 cmd.exe 103 PID 2612 wrote to memory of 5004 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 104 PID 2612 wrote to memory of 5004 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 104 PID 2612 wrote to memory of 5004 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 104 PID 5004 wrote to memory of 3904 5004 cmd.exe 106 PID 5004 wrote to memory of 3904 5004 cmd.exe 106 PID 5004 wrote to memory of 3904 5004 cmd.exe 106 PID 2612 wrote to memory of 2368 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 109 PID 2612 wrote to memory of 2368 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 109 PID 2612 wrote to memory of 2368 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 109 PID 2368 wrote to memory of 4756 2368 cmd.exe 111 PID 2368 wrote to memory of 4756 2368 cmd.exe 111 PID 2368 wrote to memory of 4756 2368 cmd.exe 111 PID 2612 wrote to memory of 1796 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 112 PID 2612 wrote to memory of 1796 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 112 PID 2612 wrote to memory of 1796 2612 69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe 112 PID 1796 wrote to memory of 1592 1796 cmd.exe 114 PID 1796 wrote to memory of 1592 1796 cmd.exe 114 PID 1796 wrote to memory of 1592 1796 cmd.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_updater_run" dir=in action=allow description="updater run without uac" program="C:\Users\Admin\Desktop\ITx__Updater.exe" enable=yes protocol=any profile=public,private2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="ITx_updater_run" dir=in action=allow description="updater run without uac" program="C:\Users\Admin\Desktop\ITx__Updater.exe" enable=yes protocol=any profile=public,private3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_jobs_64" dir=in action=allow description="jobs 64" program="C:\Windows\debug\ITx_jobs_64bit_v5.exe" enable=yes protocol=any profile=public,private2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="ITx_jobs_64" dir=in action=allow description="jobs 64" program="C:\Windows\debug\ITx_jobs_64bit_v5.exe" enable=yes protocol=any profile=public,private3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_runasti_64" dir=in action=allow description="runasti 64" program="C:\Windows\debug\ITx_RunAsTI_64bit_v5.exe" enable=yes protocol=any profile=public,private2⤵
- Access Token Manipulation: Create Process with Token
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="ITx_runasti_64" dir=in action=allow description="runasti 64" program="C:\Windows\debug\ITx_RunAsTI_64bit_v5.exe" enable=yes protocol=any profile=public,private3⤵
- Modifies Windows Firewall
- Access Token Manipulation: Create Process with Token
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_updater" dir=in action=allow description="updater ITx" program="C:\Users\Admin\Desktop\ITx_updater.exe" enable=yes protocol=any profile=public,private2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="ITx_updater" dir=in action=allow description="updater ITx" program="C:\Users\Admin\Desktop\ITx_updater.exe" enable=yes protocol=any profile=public,private3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4768
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_kms_1" dir=in action=allow description="kms file 1" program="C:\Windows\AutoKMS\AutoKMS.exe" enable=yes protocol=any profile=public,private2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="ITx_kms_1" dir=in action=allow description="kms file 1" program="C:\Windows\AutoKMS\AutoKMS.exe" enable=yes protocol=any profile=public,private3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_kms_2" dir=in action=allow description="kms file 2" program="C:\Windows\Temp\SppExtComObjHook.dll" enable=yes protocol=any profile=public,private2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="ITx_kms_2" dir=in action=allow description="kms file 2" program="C:\Windows\Temp\SppExtComObjHook.dll" enable=yes protocol=any profile=public,private3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3904
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_checker" dir=in action=allow description="Nu Ma Uita" program="C:\Windows\debug\NuMaUita.exe" enable=yes protocol=any profile=public,private2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="ITx_checker" dir=in action=allow description="Nu Ma Uita" program="C:\Windows\debug\NuMaUita.exe" enable=yes protocol=any profile=public,private3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4756
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_downloader_updater" dir=in action=allow description="downloader updater" program="C:\Windows\debug\ITx_downloader_updater.exe" enable=yes protocol=any profile=public,private2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="ITx_downloader_updater" dir=in action=allow description="downloader updater" program="C:\Windows\debug\ITx_downloader_updater.exe" enable=yes protocol=any profile=public,private3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1592
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x404 0x4281⤵
- Suspicious use of AdjustPrivilegeToken
PID:3252
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1Impair Defenses
1Disable or Modify System Firewall
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
435B
MD5b9949ee1474ff64ab49797d1b600cd5a
SHA1af3773cd67e5ef6fd3946ec637df012fbe92b859
SHA256f95b9589c1c5e331707503e48a4c818745c4a8a0477b1bb517c5c609f7a14094
SHA5128c6835a12f019aa9668f765d2218bd55cf99e2ee4e2202641cfc5a4ffa8b1ee42257c2705dc903a3aca1e9f9511b85d3fc17017b95c1a5ae6be62e9d8ac43970