Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2024 17:59
Static task
static1
Behavioral task
behavioral1
Sample
7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe
-
Size
708KB
-
MD5
7d6816ca8761c9611542c326105efbbf
-
SHA1
8ad553cd6ee105cf6050b8017ecf88319fc4ff8c
-
SHA256
f37dc2aab4817b85c6b2caf9c5ed0790d4613fd9248207c7c37270c13aafed4c
-
SHA512
3d62ec55922034b43828ad2232b89b72db0a08af7bcff1047ed27c6174f18ddb6e76f7433584e02e548abcdd2eb77d143ef8d3dce744fc18d667a2d85764b853
-
SSDEEP
12288:GkgiBS7Q7MKrOtxf+zbp6+rZg5vqxsIM3Ep5DPEL1Corj5pRXQhYuRv86:ZV8U7MVxIFbZgpqfR5o3j5PACyj
Malware Config
Extracted
darkcomet
Guest16
mynet.m3th.org:8745
DC_MUTEX-2AE3ZR7
-
gencode
MRTgxCEg0e7q
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000\Control Panel\International\Geo\Nation 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe -
Executes dropped EXE 28 IoCs
Processes:
lodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exepid process 4460 lodctr.exe 5024 lodctr.exe 4836 lodctr.exe 1756 lodctr.exe 4284 lodctr.exe 1656 lodctr.exe 2956 lodctr.exe 2788 lodctr.exe 1012 lodctr.exe 3256 lodctr.exe 824 lodctr.exe 4360 lodctr.exe 5056 lodctr.exe 2480 lodctr.exe 2336 lodctr.exe 3676 lodctr.exe 5020 lodctr.exe 4748 lodctr.exe 4576 lodctr.exe 3496 lodctr.exe 2536 lodctr.exe 3992 lodctr.exe 3016 lodctr.exe 3320 lodctr.exe 1560 lodctr.exe 1788 lodctr.exe 60 lodctr.exe 1580 lodctr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exedescription pid process target process PID 2012 set thread context of 2032 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
lodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exeAppLaunch.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exe7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exelodctr.exelodctr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exepid process 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exeAppLaunch.exedescription pid process Token: SeDebugPrivilege 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2032 AppLaunch.exe Token: SeSecurityPrivilege 2032 AppLaunch.exe Token: SeTakeOwnershipPrivilege 2032 AppLaunch.exe Token: SeLoadDriverPrivilege 2032 AppLaunch.exe Token: SeSystemProfilePrivilege 2032 AppLaunch.exe Token: SeSystemtimePrivilege 2032 AppLaunch.exe Token: SeProfSingleProcessPrivilege 2032 AppLaunch.exe Token: SeIncBasePriorityPrivilege 2032 AppLaunch.exe Token: SeCreatePagefilePrivilege 2032 AppLaunch.exe Token: SeBackupPrivilege 2032 AppLaunch.exe Token: SeRestorePrivilege 2032 AppLaunch.exe Token: SeShutdownPrivilege 2032 AppLaunch.exe Token: SeDebugPrivilege 2032 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 2032 AppLaunch.exe Token: SeChangeNotifyPrivilege 2032 AppLaunch.exe Token: SeRemoteShutdownPrivilege 2032 AppLaunch.exe Token: SeUndockPrivilege 2032 AppLaunch.exe Token: SeManageVolumePrivilege 2032 AppLaunch.exe Token: SeImpersonatePrivilege 2032 AppLaunch.exe Token: SeCreateGlobalPrivilege 2032 AppLaunch.exe Token: 33 2032 AppLaunch.exe Token: 34 2032 AppLaunch.exe Token: 35 2032 AppLaunch.exe Token: 36 2032 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
AppLaunch.exepid process 2032 AppLaunch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exedescription pid process target process PID 2012 wrote to memory of 2032 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 2012 wrote to memory of 2032 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 2012 wrote to memory of 2032 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 2012 wrote to memory of 2032 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 2012 wrote to memory of 2032 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 2012 wrote to memory of 2032 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 2012 wrote to memory of 2032 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 2012 wrote to memory of 2032 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 2012 wrote to memory of 2032 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 2012 wrote to memory of 2032 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 2012 wrote to memory of 2032 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 2012 wrote to memory of 2032 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 2012 wrote to memory of 2032 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 2012 wrote to memory of 2032 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 2012 wrote to memory of 4460 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 4460 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 4460 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 5024 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 5024 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 5024 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 4836 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 4836 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 4836 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 1756 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 1756 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 1756 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 4284 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 4284 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 4284 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 1656 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 1656 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 1656 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 2956 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 2956 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 2956 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 2788 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 2788 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 2788 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 1012 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 1012 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 1012 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 3256 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 3256 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 3256 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 824 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 824 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 824 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 4360 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 4360 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 4360 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 5056 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 5056 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 5056 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 2480 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 2480 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 2480 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 2336 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 2336 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 2336 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 3676 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 3676 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 3676 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 5020 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 2012 wrote to memory of 5020 2012 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2032 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4460 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5024 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4836 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4284 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1012 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3256 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:824 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4360 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5056 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3676 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5020 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4748 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4576 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3496 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3992 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3320 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:60 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312B
MD51754173b0ed4624c61fcf04f894e5bb6
SHA12fbf7999a2e14f19c9aeb1ac0e58b8a3859368b1
SHA25619e1f5731300f62cc4bb6eac90e96b7ff5de1bf8c13a434f1a7e38ee6927d757
SHA51263ae7b7da19c5b65ce73565042cf7386c8d53ab6645b901a9f684d5039e28addd91938d8d61cec153b675e80c25d92fae62bff53edf19914643c94f3a56db710
-
Filesize
8KB
MD57a42e78aa3fbb2ae0ff164c239c1fd81
SHA1a492a76a98f67c17ae93d6d619e173eed6eaaae4
SHA25678604f7e3b34d01ac8204694cdc77bdb6e72612beb5f70719e7236ff029711a8
SHA512238945d8463275d9a4d658429190120ccc138531d19202bceba0e13a7464e50970c1ee7ed9af1f980c53460fad1931efc25629061d6cb8dbebda5c13b94116e0