14935216d45b2e4a4c0883237dadcd4489a2ab1b1e9908f1f54d383523a47012

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
Size

1.0MB
MD5

69a8abd71b135b53dbae1c43076902c1
SHA1

d9f5c3c92f1996a972d2a8e2cbfa494a2598d960
SHA256

14935216d45b2e4a4c0883237dadcd4489a2ab1b1e9908f1f54d383523a47012
SHA512

cf06bf6501c0e0124d75189f47e80abd13295377718861d2c584e0b7a8c7d3d17a8713fa9b4a494aa2cafd239613cb6581c4a747c2e2fddedf56c82c8ef71655
SSDEEP

24576:0J94Ob3Cx0i0o6zsday2COaHVHn/e6af4fVjbHomTOyzdI/CMgDb:0Jzyx0bsS2HVHn/VafeVjsuOkdI/M

Score

8^/10

defense_evasion discovery evasion persistence privilege_escalation upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 8 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4572	netsh.exe
3904	netsh.exe
4756	netsh.exe
1592	netsh.exe
3704	netsh.exe
4104	netsh.exe
1544	netsh.exe
4768	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2612-0-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral2/memory/2612-76-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral2/memory/2612-104-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral2/memory/2612-105-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral2/memory/2612-106-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral2/memory/2612-107-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral2/memory/2612-108-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral2/memory/2612-109-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral2/memory/2612-110-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral2/memory/2612-111-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral2/memory/2612-112-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral2/memory/2612-113-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral2/memory/2612-114-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral2/memory/2612-115-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral2/memory/2612-116-0x0000000000400000-0x0000000000496000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2612-76-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/memory/2612-104-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/memory/2612-105-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/memory/2612-106-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/memory/2612-107-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/memory/2612-108-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/memory/2612-109-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/memory/2612-110-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/memory/2612-111-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/memory/2612-112-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/memory/2612-113-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/memory/2612-114-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/memory/2612-115-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/memory/2612-116-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\l0gs\firefox.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\vc++2012sp0_64bit.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\JAVA_64bit_8u281.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\_NET351SP0.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\SCRIPT.5.7.0.16535.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\vc++2012sp0_32bit.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\vc++2008sp1_64bit.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\locals.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\_NET20SP0.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\_NET20SP2.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\_NET40_cli.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\WMP_12.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\W10_SP0.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\dummy.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\vc++2010sp1_32bit.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\downloads\ITx_updater.ini	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\_NET30SP0.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\_NET30SP2.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\EU_font.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\vc++2010sp1_64bit.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\_NET_2_3_351.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\vc++2008sp1_32bit.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\_NET351SP1.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\_Adobe_11.0.0.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\chrome.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\_NET480.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\IE11.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\l0gs\MSI_45.log	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
1544	netsh.exe
3000	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3252	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3252	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 3104	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	87
PID 2612 wrote to memory of 3104	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	87
PID 2612 wrote to memory of 3104	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	87
PID 3104 wrote to memory of 3704	3104	cmd.exe	89
PID 3104 wrote to memory of 3704	3104	cmd.exe	89
PID 3104 wrote to memory of 3704	3104	cmd.exe	89
PID 2612 wrote to memory of 4900	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	90
PID 2612 wrote to memory of 4900	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	90
PID 2612 wrote to memory of 4900	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	90
PID 4900 wrote to memory of 4104	4900	cmd.exe	92
PID 4900 wrote to memory of 4104	4900	cmd.exe	92
PID 4900 wrote to memory of 4104	4900	cmd.exe	92
PID 2612 wrote to memory of 3000	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	93
PID 2612 wrote to memory of 3000	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	93
PID 2612 wrote to memory of 3000	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	93
PID 3000 wrote to memory of 1544	3000	cmd.exe	95
PID 3000 wrote to memory of 1544	3000	cmd.exe	95
PID 3000 wrote to memory of 1544	3000	cmd.exe	95
PID 2612 wrote to memory of 3964	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	96
PID 2612 wrote to memory of 3964	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	96
PID 2612 wrote to memory of 3964	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	96
PID 3964 wrote to memory of 4768	3964	cmd.exe	98
PID 3964 wrote to memory of 4768	3964	cmd.exe	98
PID 3964 wrote to memory of 4768	3964	cmd.exe	98
PID 2612 wrote to memory of 4388	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	101
PID 2612 wrote to memory of 4388	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	101
PID 2612 wrote to memory of 4388	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	101
PID 4388 wrote to memory of 4572	4388	cmd.exe	103
PID 4388 wrote to memory of 4572	4388	cmd.exe	103
PID 4388 wrote to memory of 4572	4388	cmd.exe	103
PID 2612 wrote to memory of 5004	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	104
PID 2612 wrote to memory of 5004	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	104
PID 2612 wrote to memory of 5004	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	104
PID 5004 wrote to memory of 3904	5004	cmd.exe	106
PID 5004 wrote to memory of 3904	5004	cmd.exe	106
PID 5004 wrote to memory of 3904	5004	cmd.exe	106
PID 2612 wrote to memory of 2368	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	109
PID 2612 wrote to memory of 2368	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	109
PID 2612 wrote to memory of 2368	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	109
PID 2368 wrote to memory of 4756	2368	cmd.exe	111
PID 2368 wrote to memory of 4756	2368	cmd.exe	111
PID 2368 wrote to memory of 4756	2368	cmd.exe	111
PID 2612 wrote to memory of 1796	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	112
PID 2612 wrote to memory of 1796	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	112
PID 2612 wrote to memory of 1796	2612	69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe	112
PID 1796 wrote to memory of 1592	1796	cmd.exe	114
PID 1796 wrote to memory of 1592	1796	cmd.exe	114
PID 1796 wrote to memory of 1592	1796	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_updater_run" dir=in action=allow description="updater run without uac" program="C:\Users\Admin\Desktop\ITx__Updater.exe" enable=yes protocol=any profile=public,private
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="ITx_updater_run" dir=in action=allow description="updater run without uac" program="C:\Users\Admin\Desktop\ITx__Updater.exe" enable=yes protocol=any profile=public,private
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_jobs_64" dir=in action=allow description="jobs 64" program="C:\Windows\debug\ITx_jobs_64bit_v5.exe" enable=yes protocol=any profile=public,private
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="ITx_jobs_64" dir=in action=allow description="jobs 64" program="C:\Windows\debug\ITx_jobs_64bit_v5.exe" enable=yes protocol=any profile=public,private
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_runasti_64" dir=in action=allow description="runasti 64" program="C:\Windows\debug\ITx_RunAsTI_64bit_v5.exe" enable=yes protocol=any profile=public,private
  2⤵
  - Access Token Manipulation: Create Process with Token
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="ITx_runasti_64" dir=in action=allow description="runasti 64" program="C:\Windows\debug\ITx_RunAsTI_64bit_v5.exe" enable=yes protocol=any profile=public,private
    3⤵
    - Modifies Windows Firewall
    - Access Token Manipulation: Create Process with Token
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_updater" dir=in action=allow description="updater ITx" program="C:\Users\Admin\Desktop\ITx_updater.exe" enable=yes protocol=any profile=public,private
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="ITx_updater" dir=in action=allow description="updater ITx" program="C:\Users\Admin\Desktop\ITx_updater.exe" enable=yes protocol=any profile=public,private
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_kms_1" dir=in action=allow description="kms file 1" program="C:\Windows\AutoKMS\AutoKMS.exe" enable=yes protocol=any profile=public,private
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="ITx_kms_1" dir=in action=allow description="kms file 1" program="C:\Windows\AutoKMS\AutoKMS.exe" enable=yes protocol=any profile=public,private
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_kms_2" dir=in action=allow description="kms file 2" program="C:\Windows\Temp\SppExtComObjHook.dll" enable=yes protocol=any profile=public,private
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="ITx_kms_2" dir=in action=allow description="kms file 2" program="C:\Windows\Temp\SppExtComObjHook.dll" enable=yes protocol=any profile=public,private
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_checker" dir=in action=allow description="Nu Ma Uita" program="C:\Windows\debug\NuMaUita.exe" enable=yes protocol=any profile=public,private
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="ITx_checker" dir=in action=allow description="Nu Ma Uita" program="C:\Windows\debug\NuMaUita.exe" enable=yes protocol=any profile=public,private
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_downloader_updater" dir=in action=allow description="downloader updater" program="C:\Windows\debug\ITx_downloader_updater.exe" enable=yes protocol=any profile=public,private
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="ITx_downloader_updater" dir=in action=allow description="downloader updater" program="C:\Windows\debug\ITx_downloader_updater.exe" enable=yes protocol=any profile=public,private
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1592

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x404 0x428
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\downloads\ITx_updater.ini

Filesize
435B

MD5
b9949ee1474ff64ab49797d1b600cd5a

SHA1
af3773cd67e5ef6fd3946ec637df012fbe92b859

SHA256
f95b9589c1c5e331707503e48a4c818745c4a8a0477b1bb517c5c609f7a14094

SHA512
8c6835a12f019aa9668f765d2218bd55cf99e2ee4e2202641cfc5a4ffa8b1ee42257c2705dc903a3aca1e9f9511b85d3fc17017b95c1a5ae6be62e9d8ac43970

Download Submit
memory/2612-109-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2612-112-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2612-104-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2612-105-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2612-106-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2612-107-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2612-76-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2612-110-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2612-108-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2612-111-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2612-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2612-113-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2612-114-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2612-115-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2612-116-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download