f84e452ab2a7a2eab3b47a74fcf7e88f3a6f2a7cc8b0399da062adbe92497d78

Analysis

max time kernel
133s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2024 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
Size

450KB
MD5

041ef0cd8731e7e9bd0c35f6e16d2807
SHA1

b506a49f244359bf5062665271d773bd595c4570
SHA256

f84e452ab2a7a2eab3b47a74fcf7e88f3a6f2a7cc8b0399da062adbe92497d78
SHA512

affe94963e905441a002e97edb39ba64d304e8e0504d67b155e7fbdc1e4e1ab8c5041145a2970c88366754fe062ce70486e42d360c4aa51d99f506a6b8159df9
SSDEEP

6144:8EicAkEicAKKJNfTxo2i4Qiza4O7N68XEicAkEicAKKJNfTxo2i4Qiza4O7N686:gc7ctKJ16Gna4Y6Uc7ctKJ16Gna4Y6h

Score

8^/10

discovery persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\debugger = "ntsd -d"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger = "ntsd -d"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\debugger = "ntsd -d"	reg.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe "	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\klist.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\unpack200.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\extcheck.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jstack.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\pack200.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\servertool.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\misc.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\chrome_proxy.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\java.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\java-rmi.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\javap.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\javah.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jstatd.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\kinit.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\unpack200.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\javac.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jdeps.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\javapackager.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\mip.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jstat.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\Wordconv.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\policytool.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\keytool.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\ktab.exe	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe "	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe "	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe "	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt \ = " exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe "	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 1360	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	86
PID 3600 wrote to memory of 1360	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	86
PID 3600 wrote to memory of 1360	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	86
PID 3600 wrote to memory of 348	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	89
PID 3600 wrote to memory of 348	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	89
PID 3600 wrote to memory of 348	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	89
PID 3600 wrote to memory of 2656	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	90
PID 3600 wrote to memory of 2656	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	90
PID 3600 wrote to memory of 2656	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	90
PID 3600 wrote to memory of 3008	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	91
PID 3600 wrote to memory of 3008	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	91
PID 3600 wrote to memory of 3008	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	91
PID 3600 wrote to memory of 3476	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	92
PID 3600 wrote to memory of 3476	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	92
PID 3600 wrote to memory of 3476	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	92
PID 3600 wrote to memory of 1280	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	93
PID 3600 wrote to memory of 1280	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	93
PID 3600 wrote to memory of 1280	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	93
PID 3600 wrote to memory of 4840	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	94
PID 3600 wrote to memory of 4840	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	94
PID 3600 wrote to memory of 4840	3600	041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe	94
PID 348 wrote to memory of 3152	348	cmd.exe	101
PID 348 wrote to memory of 3152	348	cmd.exe	101
PID 348 wrote to memory of 3152	348	cmd.exe	101
PID 348 wrote to memory of 1156	348	cmd.exe	102
PID 348 wrote to memory of 1156	348	cmd.exe	102
PID 348 wrote to memory of 1156	348	cmd.exe	102
PID 348 wrote to memory of 4940	348	cmd.exe	103
PID 348 wrote to memory of 4940	348	cmd.exe	103
PID 348 wrote to memory of 4940	348	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\123.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:348
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\ZhuDongFangYu.exe" /v debugger /t reg_sz /d "ntsd -d" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:3152
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe" /v debugger /t reg_sz /d "ntsd -d" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:1156
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe" /v debugger /t reg_sz /d "ntsd -d" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:4940
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c assoc .txt = exefile
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ftype comfile=C:\Users\Admin\AppData\Local\Temp\041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
  2⤵
  - Modifies system executable filetype association
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ftype zipfile=C:\Users\Admin\AppData\Local\Temp\041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3476
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ftype jpgfile=C:\Users\Admin\AppData\Local\Temp\041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ftype txtfile=C:\Users\Admin\AppData\Local\Temp\041ef0cd8731e7e9bd0c35f6e16d2807_JaffaCakes118.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\123.bat

Filesize
443B

MD5
70170ba16a737a438223b88279dc6c85

SHA1
cc066efa0fca9bc9f44013660dea6b28ddfd6a24

SHA256
d3674f4b34a8ca8167160519aa5c66b6024eb09f4cb0c9278bc44370b0efec6a

SHA512
37cc8c954544374d0a1ca4d012c9bd0b47781bc9bb8d0c15a8a95b9934893db3bedee867b984c20edabe54c39574abf7250de433aade6c0d544b8dd2c972c6da

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
450KB

MD5
918db32624b5757d6948ff32bfeb8808

SHA1
44f0218d86b0223067dda0d471df070b54de69ab

SHA256
c0b20a763bef1305a8bfaf689ebdf6c072a54fd876d0276e2ff8b26a2c818bd9

SHA512
bfc52fa8ded24fc890ac6b5f45fc1099c0c60a09334ba67dec5202e6a66846d87a35a7a547ca7c46c17a7c22053904ee69838725abde464e99e7402842053bbe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads