aca81d6f1061a026df786c014c6599faf8bb77bdba7c7ecf902aed5cb3940541

Analysis

max time kernel
3s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Size

64KB
MD5

81c4f9963dd2099915fd4e6f54dad969
SHA1

f155b91ef95f08884e01e81d3938d8fb1bece37e
SHA256

aca81d6f1061a026df786c014c6599faf8bb77bdba7c7ecf902aed5cb3940541
SHA512

042ec8438e47a6b7b95122abed3b7f10537aba1995f4bacf7067a155257107638f654e68a03ae0a807ce9a2b04f0af6ee0bc6fd02be105042d11602a5986f2f4
SSDEEP

768:7XK1Jsz/2COCKvxPD3WDKaZbO0lBo+fKpxcP60BPYXcgIufVXHo+DNXK:rOJsz/2HCKvRLUipy9BPkcgIutXfDZ

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\10.1.08.exe init"	10.1.08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\1o.1.o8.exe shell"	10.1.08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\10.1.08.exe init"	1o.1.o8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\1o.1.o8.exe shell"	1o.1.o8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\10.1.08.exe init"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\1o.1.o8.exe shell"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	10.1.08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1o.1.o8.exe

Disables RegEdit via registry modification 3 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	10.1.08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1o.1.o8.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
2780	10.1.08.exe
2788	1o.1.o8.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\10.1.08 = "C:\\Windows\\10.1.08.exe hlmrun"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\1o.1.o8 = "C:\\Windows\\1o.1.o8.exe hcurun"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\10.1.08 = "C:\\Windows\\10.1.08.exe hlmrun"	10.1.08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\1o.1.o8 = "C:\\Windows\\1o.1.o8.exe hcurun"	10.1.08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\10.1.08 = "C:\\Windows\\10.1.08.exe hlmrun"	1o.1.o8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\1o.1.o8 = "C:\\Windows\\1o.1.o8.exe hcurun"	1o.1.o8.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	1o.1.o8.exe
File created	F:\autorun.inf	1o.1.o8.exe
File opened for modification	F:\autorun.inf	1o.1.o8.exe
File opened for modification	F:\autorun.inf	10.1.08.exe
File created	C:\autorun.inf	1o.1.o8.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\userinit.exe	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\userinit.exe	10.1.08.exe
File opened for modification	C:\Windows\SysWOW64\userinit.exe	1o.1.o8.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\10.1.08.exe	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
File opened for modification	C:\Windows\10.1.08.exe	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
File created	C:\Windows\1o.1.o8.exe	10.1.08.exe
File opened for modification	C:\Windows\1o.1.o8.exe	10.1.08.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.1.08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1o.1.o8.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "exefile"	10.1.08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "exefile"	1o.1.o8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "exefile"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "exefile"	10.1.08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "exefile"	10.1.08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.scr\ = "exefile"	10.1.08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "exefile"	1o.1.o8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	10.1.08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a00310000000000015917a9102054656d700000360008000400efbee4580384015917a92a000000ff010000000002000000000000000000000000000000540065006d007000000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = a200310000000000015917a937003831433446397e3100008a0008000400efbe015917a9015917a92a000000d0740100000008000000000000000000000000000000380031006300340066003900390036003300640064003200300039003900390031003500660064003400650036006600350034006400610064003900360039005f004a006100660066006100430061006b0065007300310031003800000018000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	1o.1.o8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "exefile"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pif	10.1.08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "exefile"	10.1.08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	1o.1.o8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "exefile"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "exefile"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe	1o.1.o8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "exefile"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "exefile"	10.1.08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	1o.1.o8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.com	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pif	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "exefile"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.scr	10.1.08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "exefile"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	10.1.08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.scr	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.JSE\ = "exefile"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "exefile"	1o.1.o8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta	1o.1.o8.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c00310000000000e458c58610204c6f63616c00380008000400efbee4580384e458c5862a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "exefile"	1o.1.o8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta\ = "exefile"	1o.1.o8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.msi	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta\ = "exefile"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	10.1.08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5200310000000000e4580384122041707044617461003c0008000400efbee4580384e45803842a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000016000000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	10.1.08.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "exefile"	1o.1.o8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe	10.1.08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jse	10.1.08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	10.1.08.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "exefile"	1o.1.o8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2252	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2788	1o.1.o8.exe
2788	1o.1.o8.exe
2788	1o.1.o8.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2788	1o.1.o8.exe
2780	10.1.08.exe
2788	1o.1.o8.exe
2780	10.1.08.exe
2780	10.1.08.exe
2788	1o.1.o8.exe
2780	10.1.08.exe
2780	10.1.08.exe
2788	1o.1.o8.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2788	1o.1.o8.exe
2780	10.1.08.exe
2780	10.1.08.exe
2788	1o.1.o8.exe
2788	1o.1.o8.exe
2788	1o.1.o8.exe
2788	1o.1.o8.exe
2788	1o.1.o8.exe
2788	1o.1.o8.exe
2788	1o.1.o8.exe
2788	1o.1.o8.exe
2788	1o.1.o8.exe
2788	1o.1.o8.exe
2788	1o.1.o8.exe
2788	1o.1.o8.exe
2788	1o.1.o8.exe
2788	1o.1.o8.exe
2788	1o.1.o8.exe
2788	1o.1.o8.exe
2788	1o.1.o8.exe
2788	1o.1.o8.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe
2780	10.1.08.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2252	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
2780	10.1.08.exe
2788	1o.1.o8.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2036	2252	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2036	2252	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2036	2252	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2036	2252	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2780	2252	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe	33
PID 2252 wrote to memory of 2780	2252	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe	33
PID 2252 wrote to memory of 2780	2252	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe	33
PID 2252 wrote to memory of 2780	2252	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe	33
PID 2780 wrote to memory of 2788	2780	10.1.08.exe	34
PID 2780 wrote to memory of 2788	2780	10.1.08.exe	34
PID 2780 wrote to memory of 2788	2780	10.1.08.exe	34
PID 2780 wrote to memory of 2788	2780	10.1.08.exe	34

C:\Users\Admin\AppData\Local\Temp\81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Local\Temp\81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2036
- C:\Windows\10.1.08.exe
  C:\Windows\10.1.08.exe first
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\1o.1.o8.exe
    C:\Windows\1o.1.o8.exe first
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops autorun.inf file
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2788

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

F:\10.1.08.exe

Filesize
64KB

MD5
81c4f9963dd2099915fd4e6f54dad969

SHA1
f155b91ef95f08884e01e81d3938d8fb1bece37e

SHA256
aca81d6f1061a026df786c014c6599faf8bb77bdba7c7ecf902aed5cb3940541

SHA512
042ec8438e47a6b7b95122abed3b7f10537aba1995f4bacf7067a155257107638f654e68a03ae0a807ce9a2b04f0af6ee0bc6fd02be105042d11602a5986f2f4

Download Submit
F:\autorun.inf

Filesize
202B

MD5
df3298142cadd966aed043f2e44e841b

SHA1
b22111a6e77fe6ec8daea24da5545552ffedd187

SHA256
adff5fba26d6f1cd6de55e9c0b32b74bbbf979817eb10aa3f84d9967f53509de

SHA512
be89b677613043855003d693dbe924983009647ee47e6dd7eca200fa1ab0c79994e7b2b305edfe48a584ef7187725dbf8d6b78b2f396afcd2ff567a161e34ff0

Download Submit
memory/2252-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2252-17-0x0000000001EE0000-0x0000000001EF2000-memory.dmp

Filesize
72KB

Download
memory/2252-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2780-32-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2788-33-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3012-34-0x00000000036C0000-0x00000000036D0000-memory.dmp

Filesize
64KB

Download