Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
27-07-2024 05:40
Static task
static1
Behavioral task
behavioral1
Sample
772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe
-
Size
65KB
-
MD5
772952cfacf381892590ce0ccc4bb384
-
SHA1
734e0306c531e9ffbf22b60e7c744e04f65fa79f
-
SHA256
0b36f9990b83338a823f030e12fcd9a866a2cfcb434150d3e59c708a80a88102
-
SHA512
1bc8e5145a9c5fde67c5df7289b32fee5720b5af7007c3fd5c3287c74c4754812552c2b6cef2ce77582233b8a8a2312975acc5c7687b0694cdec528456912d21
-
SSDEEP
768:gqipbWxcGn+dNHyIztJT2W/V4EaRS8ZGMhpyNKnoBXzHpBRjG8CkFMRKVytHmDbX:6ScCqrztJi2icNKnoBX7RylHmH
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2740 cmd.exe -
Executes dropped EXE 31 IoCs
pid Process 2800 nlsdata0009.exe 2072 connect.exe 2920 kbdbu.exe 3004 remotepg.exe 2148 dmband.exe 780 msmpeg2enc.exe 1088 kbd103.exe 328 msident.exe 1300 gcdef.exe 2980 wmdrmdev.exe 2116 comres.exe 1076 kbdurdu.exe 2136 prnfldr.exe 1356 nlsdata0010.exe 2624 onexui.exe 2824 racengn.exe 2648 netprofm.exe 2604 smartcardcredentialprovider.exe 1200 kbdda.exe 1444 api-ms-win-crt-process-l1-1-0.exe 1076 srhelper.exe 1772 mssvp.exe 2440 tlscsp.exe 1684 rpcndfp.exe 1700 shdocvw.exe 1188 kbdycc.exe 1748 mswstr10.exe 552 gpedit.exe 2268 odbcbcp.exe 2680 httpapi.exe 2652 nlsdata0003.exe -
Loads dropped DLL 64 IoCs
pid Process 2536 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe 2536 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe 2536 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe 2536 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe 2800 nlsdata0009.exe 2800 nlsdata0009.exe 2800 nlsdata0009.exe 2800 nlsdata0009.exe 2800 nlsdata0009.exe 2072 connect.exe 2072 connect.exe 2072 connect.exe 2072 connect.exe 2072 connect.exe 2920 kbdbu.exe 2920 kbdbu.exe 2920 kbdbu.exe 2920 kbdbu.exe 2920 kbdbu.exe 3004 remotepg.exe 3004 remotepg.exe 3004 remotepg.exe 3004 remotepg.exe 3004 remotepg.exe 2148 dmband.exe 2148 dmband.exe 2148 dmband.exe 2148 dmband.exe 2148 dmband.exe 780 msmpeg2enc.exe 780 msmpeg2enc.exe 780 msmpeg2enc.exe 780 msmpeg2enc.exe 780 msmpeg2enc.exe 1088 kbd103.exe 1088 kbd103.exe 1088 kbd103.exe 1088 kbd103.exe 1088 kbd103.exe 328 msident.exe 328 msident.exe 328 msident.exe 328 msident.exe 328 msident.exe 1300 gcdef.exe 1300 gcdef.exe 1300 gcdef.exe 1300 gcdef.exe 1300 gcdef.exe 2980 wmdrmdev.exe 2980 wmdrmdev.exe 2980 wmdrmdev.exe 2980 wmdrmdev.exe 2980 wmdrmdev.exe 2460 WerFault.exe 2460 WerFault.exe 2460 WerFault.exe 2116 comres.exe 2116 comres.exe 2116 comres.exe 2116 comres.exe 2116 comres.exe 1076 kbdurdu.exe 1076 kbdurdu.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 62 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dmband.exe remotepg.exe File created C:\Windows\SysWOW64\nlsdata0003.exe httpapi.exe File opened for modification C:\Windows\SysWOW64\msmpeg2enc.exe dmband.exe File created C:\Windows\SysWOW64\srhelper.exe api-ms-win-crt-process-l1-1-0.exe File opened for modification C:\Windows\SysWOW64\srhelper.exe api-ms-win-crt-process-l1-1-0.exe File opened for modification C:\Windows\SysWOW64\shdocvw.exe rpcndfp.exe File created C:\Windows\SysWOW64\mssvp.exe srhelper.exe File opened for modification C:\Windows\SysWOW64\odbcbcp.exe gpedit.exe File opened for modification C:\Windows\SysWOW64\nlsdata0010.exe prnfldr.exe File created C:\Windows\SysWOW64\httpapi.exe odbcbcp.exe File opened for modification C:\Windows\SysWOW64\prnfldr.exe kbdurdu.exe File created C:\Windows\SysWOW64\smartcardcredentialprovider.exe netprofm.exe File opened for modification C:\Windows\SysWOW64\gpedit.exe mswstr10.exe File created C:\Windows\SysWOW64\kbdbu.exe connect.exe File opened for modification C:\Windows\SysWOW64\kbd103.exe msmpeg2enc.exe File opened for modification C:\Windows\SysWOW64\gcdef.exe msident.exe File opened for modification C:\Windows\SysWOW64\kbdurdu.exe comres.exe File opened for modification C:\Windows\SysWOW64\httpapi.exe odbcbcp.exe File created C:\Windows\SysWOW64\kbd103.exe msmpeg2enc.exe File created C:\Windows\SysWOW64\onexui.exe nlsdata0010.exe File created C:\Windows\SysWOW64\racengn.exe onexui.exe File opened for modification C:\Windows\SysWOW64\mssvp.exe srhelper.exe File created C:\Windows\SysWOW64\tlscsp.exe mssvp.exe File opened for modification C:\Windows\SysWOW64\connect.exe nlsdata0009.exe File opened for modification C:\Windows\SysWOW64\msident.exe kbd103.exe File opened for modification C:\Windows\SysWOW64\comres.exe wmdrmdev.exe File opened for modification C:\Windows\SysWOW64\onexui.exe nlsdata0010.exe File created C:\Windows\SysWOW64\nlsdata0009.exe 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmdrmdev.exe gcdef.exe File created C:\Windows\SysWOW64\prnfldr.exe kbdurdu.exe File opened for modification C:\Windows\SysWOW64\nlsdata0003.exe httpapi.exe File created C:\Windows\SysWOW64\gcdef.exe msident.exe File created C:\Windows\SysWOW64\kbdurdu.exe comres.exe File opened for modification C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.exe kbdda.exe File opened for modification C:\Windows\SysWOW64\mswstr10.exe kbdycc.exe File opened for modification C:\Windows\SysWOW64\smartcardcredentialprovider.exe netprofm.exe File created C:\Windows\SysWOW64\kbdda.exe smartcardcredentialprovider.exe File opened for modification C:\Windows\SysWOW64\kbdda.exe smartcardcredentialprovider.exe File created C:\Windows\SysWOW64\rpcndfp.exe tlscsp.exe File opened for modification C:\Windows\SysWOW64\remotepg.exe kbdbu.exe File created C:\Windows\SysWOW64\nlsdata0010.exe prnfldr.exe File created C:\Windows\SysWOW64\netprofm.exe racengn.exe File created C:\Windows\SysWOW64\mswstr10.exe kbdycc.exe File created C:\Windows\SysWOW64\gpedit.exe mswstr10.exe File opened for modification C:\Windows\SysWOW64\nlsdata0009.exe 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe File created C:\Windows\SysWOW64\connect.exe nlsdata0009.exe File created C:\Windows\SysWOW64\remotepg.exe kbdbu.exe File opened for modification C:\Windows\SysWOW64\wmdrmdev.exe gcdef.exe File opened for modification C:\Windows\SysWOW64\racengn.exe onexui.exe File opened for modification C:\Windows\SysWOW64\tlscsp.exe mssvp.exe File created C:\Windows\SysWOW64\shdocvw.exe rpcndfp.exe File created C:\Windows\SysWOW64\kbdycc.exe shdocvw.exe File created C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.exe kbdda.exe File opened for modification C:\Windows\SysWOW64\kbdycc.exe shdocvw.exe File created C:\Windows\SysWOW64\odbcbcp.exe gpedit.exe File opened for modification C:\Windows\SysWOW64\kbdbu.exe connect.exe File created C:\Windows\SysWOW64\msmpeg2enc.exe dmband.exe File created C:\Windows\SysWOW64\msident.exe kbd103.exe File created C:\Windows\SysWOW64\comres.exe wmdrmdev.exe File created C:\Windows\SysWOW64\dmband.exe remotepg.exe File opened for modification C:\Windows\SysWOW64\netprofm.exe racengn.exe File opened for modification C:\Windows\SysWOW64\rpcndfp.exe tlscsp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 2460 2980 WerFault.exe 63 976 1444 WerFault.exe 98 1728 1772 WerFault.exe 105 -
System Location Discovery: System Language Discovery 1 TTPs 63 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tlscsp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nlsdata0009.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rpcndfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language comres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbdycc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbdbu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remotepg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nlsdata0010.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msident.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odbcbcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gcdef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nlsdata0003.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbdurdu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language srhelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dmband.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbd103.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbdda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netprofm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmdrmdev.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httpapi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language onexui.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language api-ms-win-crt-process-l1-1-0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msmpeg2enc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language racengn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smartcardcredentialprovider.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shdocvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language connect.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mswstr10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prnfldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2800 2536 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe 32 PID 2536 wrote to memory of 2800 2536 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe 32 PID 2536 wrote to memory of 2800 2536 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe 32 PID 2536 wrote to memory of 2800 2536 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe 32 PID 2536 wrote to memory of 2740 2536 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe 33 PID 2536 wrote to memory of 2740 2536 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe 33 PID 2536 wrote to memory of 2740 2536 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe 33 PID 2536 wrote to memory of 2740 2536 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe 33 PID 2800 wrote to memory of 2072 2800 nlsdata0009.exe 36 PID 2800 wrote to memory of 2072 2800 nlsdata0009.exe 36 PID 2800 wrote to memory of 2072 2800 nlsdata0009.exe 36 PID 2800 wrote to memory of 2072 2800 nlsdata0009.exe 36 PID 2800 wrote to memory of 1488 2800 nlsdata0009.exe 37 PID 2800 wrote to memory of 1488 2800 nlsdata0009.exe 37 PID 2800 wrote to memory of 1488 2800 nlsdata0009.exe 37 PID 2800 wrote to memory of 1488 2800 nlsdata0009.exe 37 PID 2072 wrote to memory of 2920 2072 connect.exe 39 PID 2072 wrote to memory of 2920 2072 connect.exe 39 PID 2072 wrote to memory of 2920 2072 connect.exe 39 PID 2072 wrote to memory of 2920 2072 connect.exe 39 PID 2072 wrote to memory of 2592 2072 connect.exe 40 PID 2072 wrote to memory of 2592 2072 connect.exe 40 PID 2072 wrote to memory of 2592 2072 connect.exe 40 PID 2072 wrote to memory of 2592 2072 connect.exe 40 PID 2920 wrote to memory of 3004 2920 kbdbu.exe 43 PID 2920 wrote to memory of 3004 2920 kbdbu.exe 43 PID 2920 wrote to memory of 3004 2920 kbdbu.exe 43 PID 2920 wrote to memory of 3004 2920 kbdbu.exe 43 PID 2920 wrote to memory of 2304 2920 kbdbu.exe 44 PID 2920 wrote to memory of 2304 2920 kbdbu.exe 44 PID 2920 wrote to memory of 2304 2920 kbdbu.exe 44 PID 2920 wrote to memory of 2304 2920 kbdbu.exe 44 PID 3004 wrote to memory of 2148 3004 remotepg.exe 47 PID 3004 wrote to memory of 2148 3004 remotepg.exe 47 PID 3004 wrote to memory of 2148 3004 remotepg.exe 47 PID 3004 wrote to memory of 2148 3004 remotepg.exe 47 PID 3004 wrote to memory of 2836 3004 remotepg.exe 48 PID 3004 wrote to memory of 2836 3004 remotepg.exe 48 PID 3004 wrote to memory of 2836 3004 remotepg.exe 48 PID 3004 wrote to memory of 2836 3004 remotepg.exe 48 PID 2148 wrote to memory of 780 2148 dmband.exe 50 PID 2148 wrote to memory of 780 2148 dmband.exe 50 PID 2148 wrote to memory of 780 2148 dmband.exe 50 PID 2148 wrote to memory of 780 2148 dmband.exe 50 PID 2148 wrote to memory of 1064 2148 dmband.exe 51 PID 2148 wrote to memory of 1064 2148 dmband.exe 51 PID 2148 wrote to memory of 1064 2148 dmband.exe 51 PID 2148 wrote to memory of 1064 2148 dmband.exe 51 PID 780 wrote to memory of 1088 780 msmpeg2enc.exe 53 PID 780 wrote to memory of 1088 780 msmpeg2enc.exe 53 PID 780 wrote to memory of 1088 780 msmpeg2enc.exe 53 PID 780 wrote to memory of 1088 780 msmpeg2enc.exe 53 PID 780 wrote to memory of 2260 780 msmpeg2enc.exe 54 PID 780 wrote to memory of 2260 780 msmpeg2enc.exe 54 PID 780 wrote to memory of 2260 780 msmpeg2enc.exe 54 PID 780 wrote to memory of 2260 780 msmpeg2enc.exe 54 PID 1088 wrote to memory of 328 1088 kbd103.exe 57 PID 1088 wrote to memory of 328 1088 kbd103.exe 57 PID 1088 wrote to memory of 328 1088 kbd103.exe 57 PID 1088 wrote to memory of 328 1088 kbd103.exe 57 PID 1088 wrote to memory of 2432 1088 kbd103.exe 58 PID 1088 wrote to memory of 2432 1088 kbd103.exe 58 PID 1088 wrote to memory of 2432 1088 kbd103.exe 58 PID 1088 wrote to memory of 2432 1088 kbd103.exe 58
Processes
-
C:\Users\Admin\AppData\Local\Temp\772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\nlsdata0009.exe"C:\Windows\system32\nlsdata0009.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\connect.exe"C:\Windows\system32\connect.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\kbdbu.exe"C:\Windows\system32\kbdbu.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\remotepg.exe"C:\Windows\system32\remotepg.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\dmband.exe"C:\Windows\system32\dmband.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\msmpeg2enc.exe"C:\Windows\system32\msmpeg2enc.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\kbd103.exe"C:\Windows\system32\kbd103.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\msident.exe"C:\Windows\system32\msident.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:328 -
C:\Windows\SysWOW64\gcdef.exe"C:\Windows\system32\gcdef.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1300 -
C:\Windows\SysWOW64\wmdrmdev.exe"C:\Windows\system32\wmdrmdev.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\comres.exe"C:\Windows\system32\comres.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\kbdurdu.exe"C:\Windows\system32\kbdurdu.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\prnfldr.exe"C:\Windows\system32\prnfldr.exe"14⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\nlsdata0010.exe"C:\Windows\system32\nlsdata0010.exe"15⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\onexui.exe"C:\Windows\system32\onexui.exe"16⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\racengn.exe"C:\Windows\system32\racengn.exe"17⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\netprofm.exe"C:\Windows\system32\netprofm.exe"18⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\smartcardcredentialprovider.exe"C:\Windows\system32\smartcardcredentialprovider.exe"19⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\SysWOW64\kbdda.exe"C:\Windows\system32\kbdda.exe"20⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1200 -
C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.exe"C:\Windows\system32\api-ms-win-crt-process-l1-1-0.exe"21⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1444 -
C:\Windows\SysWOW64\srhelper.exe"C:\Windows\system32\srhelper.exe"22⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\mssvp.exe"C:\Windows\system32\mssvp.exe"23⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\SysWOW64\tlscsp.exe"C:\Windows\system32\tlscsp.exe"24⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\rpcndfp.exe"C:\Windows\system32\rpcndfp.exe"25⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\shdocvw.exe"C:\Windows\system32\shdocvw.exe"26⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\kbdycc.exe"C:\Windows\system32\kbdycc.exe"27⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1188 -
C:\Windows\SysWOW64\mswstr10.exe"C:\Windows\system32\mswstr10.exe"28⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\gpedit.exe"C:\Windows\system32\gpedit.exe"29⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:552 -
C:\Windows\SysWOW64\odbcbcp.exe"C:\Windows\system32\odbcbcp.exe"30⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\httpapi.exe"C:\Windows\system32\httpapi.exe"31⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\nlsdata0003.exe"C:\Windows\system32\nlsdata0003.exe"32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2652
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\httpapi.exe"32⤵
- System Location Discovery: System Language Discovery
PID:2944
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\odbcbcp.exe"31⤵
- System Location Discovery: System Language Discovery
PID:2884
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\gpedit.exe"30⤵
- System Location Discovery: System Language Discovery
PID:1264
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\mswstr10.exe"29⤵
- System Location Discovery: System Language Discovery
PID:592
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdycc.exe"28⤵
- System Location Discovery: System Language Discovery
PID:928
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\shdocvw.exe"27⤵
- System Location Discovery: System Language Discovery
PID:1152
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\rpcndfp.exe"26⤵
- System Location Discovery: System Language Discovery
PID:2732
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\tlscsp.exe"25⤵
- System Location Discovery: System Language Discovery
PID:3000
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\mssvp.exe"24⤵
- System Location Discovery: System Language Discovery
PID:2800
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 18024⤵
- Program crash
PID:1728
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\srhelper.exe"23⤵
- System Location Discovery: System Language Discovery
PID:2136
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\api-ms-win-crt-process-l1-1-0.exe"22⤵
- System Location Discovery: System Language Discovery
PID:1716
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 18422⤵
- Program crash
PID:976
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdda.exe"21⤵
- System Location Discovery: System Language Discovery
PID:2248
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\smartcardcredentialprovider.exe"20⤵
- System Location Discovery: System Language Discovery
PID:1748
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\netprofm.exe"19⤵
- System Location Discovery: System Language Discovery
PID:2080
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\racengn.exe"18⤵
- System Location Discovery: System Language Discovery
PID:2592
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\onexui.exe"17⤵
- System Location Discovery: System Language Discovery
PID:1092
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\nlsdata0010.exe"16⤵
- System Location Discovery: System Language Discovery
PID:1880
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\prnfldr.exe"15⤵
- System Location Discovery: System Language Discovery
PID:1732
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdurdu.exe"14⤵
- System Location Discovery: System Language Discovery
PID:2572
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\comres.exe"13⤵
- System Location Discovery: System Language Discovery
PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmdrmdev.exe"12⤵
- System Location Discovery: System Language Discovery
PID:2076
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 18012⤵
- Loads dropped DLL
- Program crash
PID:2460
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\gcdef.exe"11⤵
- System Location Discovery: System Language Discovery
PID:2144
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\msident.exe"10⤵
- System Location Discovery: System Language Discovery
PID:3016
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbd103.exe"9⤵
- System Location Discovery: System Language Discovery
PID:2432
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\msmpeg2enc.exe"8⤵
- System Location Discovery: System Language Discovery
PID:2260
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\dmband.exe"7⤵
- System Location Discovery: System Language Discovery
PID:1064
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\remotepg.exe"6⤵
- System Location Discovery: System Language Discovery
PID:2836
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdbu.exe"5⤵
- System Location Discovery: System Language Discovery
PID:2304
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\connect.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2592
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\nlsdata0009.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1488
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98B
MD5019a39d5a31feb4da317e5d996198615
SHA1b3bea73a09ec63a17595f676fe1dbb379cb4f786
SHA256be7e5e128794a8cfed4b61c57c902c498ce79c72025c806a1e29581c87ee11d3
SHA512ff96b3348e13aa8457c6029f52d7b60796693f57f6908e3f9cb1e7a95a21ea96b41781d20a5061c6e66c67c1f7eea859b96d0c0ad83d47f3ea7d9cb83f190474
-
Filesize
65KB
MD55128b97605fb852e9bb9f04f846792c3
SHA115edd8d260fdf6dcc90a32f51e1e60e80d6f306e
SHA25664f96d9048b5b695e7ce2ab3c8588c21ee0964a867a4a5f2ce5d6fa5f1078607
SHA51276d757fe9bda1b2ca39401e12b8ad29f8d8f863e0e6df59049000bf1b5aba4f689c52c6e18ac9a8c87078159f2f4844b28e5f9517cee4a73af20924ea5db93a6
-
Filesize
65KB
MD5c524ff130210a5d455c18c8ae85ec04c
SHA133f80ec5e5d77a837a37f44e008a9a337469c297
SHA256585238e845d0313d195571cc258aff14cda329f52e96769df37ae8e9c318688c
SHA512effd9e328cb016288e359b581e0912e47161e77bb2c6b55407fa08287cfef4b5bf326cbf0e409f2ef1ba24fe74d2ab88e4fcc3e6824c23daff7e3d90be589a1c
-
Filesize
65KB
MD540aab215492df2e22bfc5547b76ff6b3
SHA17c00534cf1ca6379c8603f742bfe73f4b13f4e19
SHA256041ddcc951128e33846d166837837a3a7f41c41cafde259260e7abeb4492230b
SHA5129b4e954500b64cbea2967970ef63afe7d3d4b8d4effe4b48120b293fd2fe61f9f8fae54e24f4708d09d68a017882149df171116cc269405c078907f9aa65baeb
-
Filesize
65KB
MD538d77d2e4fbfdaee96dedcac1a785bc4
SHA1dd6b6cb706b6eea62dfaf74ea5b60602eb002003
SHA256a7125d09794a2b1b86fcd2c1221454c810db4e172e4561b6c15c7c227c905009
SHA51236c0ffaebc9e9a4d509979d2da79b97ee9bad2251139fdd16d5b0588aa8bba69746e0afc0ab52fc0892d3316c82242186ebea4d6d730021e682a85534d967211
-
Filesize
65KB
MD56c89620981138a0f051611037584cef7
SHA180ccf1c5792d030f3039e6d1138925077a2fdde9
SHA2561a27f5cd20d01e78e0c9ea1a861f0e1e23f1e70308114591881aaa5739bbeaae
SHA51264e1a45cbd799bc35fda2b9fb63333d060f3fa1cc373512a62d3a2af5fac13792b46f4c4940db1004480a8d09d0d32ca8de2606908506a26de2659785fa7b26b
-
Filesize
65KB
MD567260a94f30ef7975679a214948cfbef
SHA1f0609f560e09d7c710582e0decef882e59892dca
SHA25601e9a6d3ca7c2734a6e632ee97a8addbd125195017f6fadea66caf78bc1fe190
SHA512801d003e4b1db14886f62fb962c528f7263033d90711090f509cdd6f93bd22f525cffee6a2eb710f94bafbfe1b2fdc7c9e44e770c144d0c29923c158f58ce063
-
Filesize
65KB
MD56dab6f0a0e0c2c35926f7ee9afb399ff
SHA1f893b535c4168cfd2b8f48a70bb54f87b49bc0e6
SHA2562180019d9132f69350df141e7118d067b2f43290764445f4c9957b3ece9ba273
SHA512cc5eecc465eccdd11cb5f395562ee9daac3cc0c645c3043c5b483a4a4de56aa314d86f38048c211c39ae5baf09f2bfa2a0556a2e95620e8ddbe9816bb38814e7
-
Filesize
65KB
MD57839daa557e7e0ffa9741d789ae6da27
SHA10328485ec39d982e77f01412407ad7241c020e9a
SHA256403e99915914213f1bdcdf720b63ee77a32fe04691a06ec806349d3909eb45ae
SHA512757d2f652d558e1d311e3c0667ab7bc073a1bfa1cc4ce60705f6dd1a8735f216fbb80e374f25955bf885c5d42eba71e818f8a5146e05c32e9cd5f3d326c3a994
-
Filesize
65KB
MD5bae8406f058ef547294664d3909df74f
SHA1fcc8437b40632703a86a1bc7c7a72371773598cd
SHA256887553ebb80e7bdbd3cd9fd31946ce4fe92c903189694a943ef2ae32fde4a331
SHA512aabaa4d5ef2b87686235a1df726032a17d6e6e5a8f17618be97710693a6025de76a67885f0b5d786235f051749c1ec10ffcb59593d35a5efd7805aa6824300c6
-
Filesize
65KB
MD5a4db403e66256274b412715c215877a9
SHA1413e9b1bc3d6b862a5e58d4cddfbe0616e869482
SHA2568ebb32c25a94f8d9a8431fd552ca6ae8e95bbbe7c288ce65e4d7e0bb4dbb7c74
SHA51264af1f0c48178c0f124e4ab9110a9a58460d0c91ca63376f4be020f206466573baf3b518c913030d64781c6ad7e2b155417085bb3ed70d0eedb688c3d95c97d9