505d65ac3377a85efb39c706e35101306e001788e02abdd4593fcf4bc24013fc

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 23:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

881874a070327d9bc21841430e615142_JaffaCakes118.exe
Size

15KB
MD5

881874a070327d9bc21841430e615142
SHA1

4dbcc24e883792c348a75b661f52d4b2d42a2a32
SHA256

505d65ac3377a85efb39c706e35101306e001788e02abdd4593fcf4bc24013fc
SHA512

bc627a15228dd4f7238009bb386e96cad2d45166d9bd4e8e1af8dc4b658fb0aaa5e577e6edc622040ec86f6a7bb0861218de5d97b1b06ebe8916e3c7a9b07f18
SSDEEP

384:LqViEXfy9+Zd7oL9usCGFCHe4pqyqUhnYPkWEbt5NQuBNY:eVZX3oTCGFC+4pvhnkkfvBNY

Score

8^/10

defense_evasion discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\Beep.sys	881874a070327d9bc21841430e615142_JaffaCakes118.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rtvscan.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctorMain.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RawCopy.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rtvscan.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SelfUpdate.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBCleaner.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Kregex.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upiea.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe\Debugger = "ntsd -d"	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe	881874a070327d9bc21841430e615142_JaffaCakes118.exe

Executes dropped EXE 5 IoCs

pid	Process
2588	svchost.exe
2884	svchost.exe
2188	svchost.exe
1500	svchost.exe
1240	svchost.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\POWER	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PROFSVC	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WINDEFEND	881874a070327d9bc21841430e615142_JaffaCakes118.exe

Loads dropped DLL 11 IoCs

pid	Process
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	881874a070327d9bc21841430e615142_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe
Token: SeDebugPrivilege	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2756	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2756	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2756	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2756	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2588	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	32
PID 3032 wrote to memory of 2588	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	32
PID 3032 wrote to memory of 2588	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	32
PID 3032 wrote to memory of 2588	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	32
PID 3032 wrote to memory of 2884	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	37
PID 3032 wrote to memory of 2884	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	37
PID 3032 wrote to memory of 2884	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	37
PID 3032 wrote to memory of 2884	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	37
PID 3032 wrote to memory of 2188	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	42
PID 3032 wrote to memory of 2188	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	42
PID 3032 wrote to memory of 2188	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	42
PID 3032 wrote to memory of 2188	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	42
PID 3032 wrote to memory of 1500	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	47
PID 3032 wrote to memory of 1500	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	47
PID 3032 wrote to memory of 1500	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	47
PID 3032 wrote to memory of 1500	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	47
PID 3032 wrote to memory of 1240	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	52
PID 3032 wrote to memory of 1240	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	52
PID 3032 wrote to memory of 1240	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	52
PID 3032 wrote to memory of 1240	3032	881874a070327d9bc21841430e615142_JaffaCakes118.exe	52

C:\Users\Admin\AppData\Local\Temp\881874a070327d9bc21841430e615142_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\881874a070327d9bc21841430e615142_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2588
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.2
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2188
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.4
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.5
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
5KB

MD5
cb9bdfde8f15d9af1353940632936d09

SHA1
67e27f1b550813f5ac08ad7ba53a0f1731b3bbb5

SHA256
debdbd31ce2269b2c61b42992fb8d90fee649e5e4c7c591da6a5d014f7290713

SHA512
741d50a93ee9307da18e09a822277db8a536afdce9cf15dbfbb2ff01ff5fe6540102f85e2c1ca6efd6bdcd10e48cbc63341c88710599d932201941c7b2c15c38

Download Submit
\Users\Admin\AppData\Local\Temp\urlm0n.dll

Filesize
1.1MB

MD5
2ee1e467d73642afddb03019f58c252b

SHA1
ea1f3b03f46db029a955190692cecbc571e1d46c

SHA256
5a7d5dafe22082b3ed035d640578ed7b5005edfe80e5c911774ec77a2caff1b3

SHA512
3482715d7c9adbfe61f7834120d1a8fce47ae5d70add285ddcfe8802a5d4a95ae00ae82079b9b9639c5d4fa5126ecfc61e1b09a141c0fea86926e26fc22f9082

Download Submit