b7007ab111a128c3423d8efaefadc7c905c55969240782397a2ab971617bb3e4

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 15:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe
Size

371KB
MD5

86a73a853feb9b75ac1d7bc1c116c8b0
SHA1

dd631d3ea89e1c1cbf5fd2f5404e1676de99a553
SHA256

b7007ab111a128c3423d8efaefadc7c905c55969240782397a2ab971617bb3e4
SHA512

6799ff6e3c10acc4ddc07f04ccc6d291cb9a40556fc442dc3725e174c68249437edb6ba37b9578ea9d75c93ad167b79fa6ad7a24d2b62eebcac20ea90070015d
SSDEEP

6144:V1ENpxhCfcKANZxfQX1cNTwQz39dH31O87DnVH9TXnHn3ttqPpSjt5VF:VUifxkXQX1uzL57p9XnH3rq857

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 27 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}\stubpath = "\"C:\\Users\\Admin\\alg.exe\" s"	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}\IsInstalled = "1"	alg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}\IsInstalled = "1"	alg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}\IsInstalled = "1"	alg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}	alg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}	alg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}\stubpath = "\"C:\\Users\\Admin\\alg.exe\" s"	alg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}\stubpath = "\"C:\\Users\\Admin\\alg.exe\" s"	alg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}\stubpath = "\"C:\\Users\\Admin\\alg.exe\" s"	alg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}\stubpath = "\"C:\\Users\\Admin\\alg.exe\" s"	alg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}\IsInstalled = "1"	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}\IsInstalled = "1"	alg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}	alg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}\stubpath = "\"C:\\Users\\Admin\\alg.exe\" s"	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}\stubpath = "\"C:\\Users\\Admin\\alg.exe\" s"	alg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}\stubpath = "\"C:\\Users\\Admin\\alg.exe\" s"	alg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}\IsInstalled = "1"	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}\IsInstalled = "1"	alg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}\IsInstalled = "1"	alg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}\IsInstalled = "1"	alg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFC4044-77D9-47E7-197B-B6BE2C7DB41E}\stubpath = "\"C:\\Users\\Admin\\alg.exe\" s"	alg.exe

Executes dropped EXE 16 IoCs

pid	Process
656	alg.exe
3488	alg.exe
5020	alg.exe
4388	alg.exe
4072	alg.exe
3372	alg.exe
4984	alg.exe
3900	alg.exe
4368	alg.exe
528	alg.exe
3060	alg.exe
4024	alg.exe
232	alg.exe
3992	alg.exe
2192	alg.exe
2752	alg.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4836-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/656-20-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/4836-22-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/files/0x000a00000002333c-19.dat	upx
behavioral2/memory/656-56-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/5020-76-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/4072-105-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/4984-134-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/4368-163-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/3060-203-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/232-223-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/2192-254-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\m:	alg.exe
File opened (read-only)	\??\l:	alg.exe
File opened (read-only)	\??\b:	alg.exe
File opened (read-only)	\??\a:	alg.exe
File opened (read-only)	\??\m:	alg.exe
File opened (read-only)	\??\g:	alg.exe
File opened (read-only)	\??\z:	alg.exe
File opened (read-only)	\??\e:	alg.exe
File opened (read-only)	\??\h:	alg.exe
File opened (read-only)	\??\s:	alg.exe
File opened (read-only)	\??\w:	alg.exe
File opened (read-only)	\??\e:	alg.exe
File opened (read-only)	\??\o:	alg.exe
File opened (read-only)	\??\w:	alg.exe
File opened (read-only)	\??\x:	alg.exe
File opened (read-only)	\??\q:	alg.exe
File opened (read-only)	\??\t:	alg.exe
File opened (read-only)	\??\y:	alg.exe
File opened (read-only)	\??\a:	alg.exe
File opened (read-only)	\??\p:	alg.exe
File opened (read-only)	\??\a:	alg.exe
File opened (read-only)	\??\b:	alg.exe
File opened (read-only)	\??\v:	alg.exe
File opened (read-only)	\??\i:	alg.exe
File opened (read-only)	\??\l:	alg.exe
File opened (read-only)	\??\o:	alg.exe
File opened (read-only)	\??\n:	alg.exe
File opened (read-only)	\??\p:	alg.exe
File opened (read-only)	\??\n:	alg.exe
File opened (read-only)	\??\g:	alg.exe
File opened (read-only)	\??\z:	alg.exe
File opened (read-only)	\??\j:	alg.exe
File opened (read-only)	\??\v:	alg.exe
File opened (read-only)	\??\w:	alg.exe
File opened (read-only)	\??\e:	alg.exe
File opened (read-only)	\??\b:	alg.exe
File opened (read-only)	\??\t:	alg.exe
File opened (read-only)	\??\t:	alg.exe
File opened (read-only)	\??\j:	alg.exe
File opened (read-only)	\??\n:	alg.exe
File opened (read-only)	\??\z:	alg.exe
File opened (read-only)	\??\z:	alg.exe
File opened (read-only)	\??\s:	alg.exe
File opened (read-only)	\??\n:	alg.exe
File opened (read-only)	\??\a:	alg.exe
File opened (read-only)	\??\b:	alg.exe
File opened (read-only)	\??\p:	alg.exe
File opened (read-only)	\??\u:	alg.exe
File opened (read-only)	\??\w:	alg.exe
File opened (read-only)	\??\z:	alg.exe
File opened (read-only)	\??\h:	alg.exe
File opened (read-only)	\??\a:	alg.exe
File opened (read-only)	\??\i:	alg.exe
File opened (read-only)	\??\x:	alg.exe
File opened (read-only)	\??\y:	alg.exe
File opened (read-only)	\??\r:	alg.exe
File opened (read-only)	\??\t:	alg.exe
File opened (read-only)	\??\z:	alg.exe
File opened (read-only)	\??\q:	alg.exe
File opened (read-only)	\??\u:	alg.exe
File opened (read-only)	\??\q:	alg.exe
File opened (read-only)	\??\j:	alg.exe
File opened (read-only)	\??\q:	alg.exe
File opened (read-only)	\??\y:	alg.exe

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/656-20-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral2/memory/4836-22-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral2/memory/656-56-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral2/memory/5020-76-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral2/memory/4072-105-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral2/memory/4984-134-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral2/memory/4368-163-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral2/memory/3060-203-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral2/memory/232-223-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral2/memory/2192-254-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 4836 set thread context of 4896	4836	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe	83
PID 656 set thread context of 3488	656	alg.exe	85
PID 5020 set thread context of 4388	5020	alg.exe	100
PID 4072 set thread context of 3372	4072	alg.exe	109
PID 4984 set thread context of 3900	4984	alg.exe	114
PID 4368 set thread context of 528	4368	alg.exe	120
PID 3060 set thread context of 4024	3060	alg.exe	125
PID 232 set thread context of 3992	232	alg.exe	137
PID 2192 set thread context of 2752	2192	alg.exe	142

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1560	PING.EXE
4376	PING.EXE
2272	PING.EXE
4412	PING.EXE
4908	PING.EXE
4832	PING.EXE
3032	PING.EXE
2016	PING.EXE

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
4412	PING.EXE
4908	PING.EXE
4832	PING.EXE
3032	PING.EXE
2016	PING.EXE
1560	PING.EXE
4376	PING.EXE
2272	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4836	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe
4836	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe
4836	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe
4836	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe
656	alg.exe
656	alg.exe
656	alg.exe
656	alg.exe
656	alg.exe
656	alg.exe
4896	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe
4896	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe
4896	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe
4896	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe
3488	alg.exe
3488	alg.exe
3488	alg.exe
3488	alg.exe
5020	alg.exe
5020	alg.exe
5020	alg.exe
5020	alg.exe
5020	alg.exe
5020	alg.exe
4388	alg.exe
4388	alg.exe
4388	alg.exe
4388	alg.exe
4072	alg.exe
4072	alg.exe
4072	alg.exe
4072	alg.exe
4072	alg.exe
4072	alg.exe
3372	alg.exe
3372	alg.exe
3372	alg.exe
3372	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
3900	alg.exe
3900	alg.exe
3900	alg.exe
3900	alg.exe
4368	alg.exe
4368	alg.exe
4368	alg.exe
4368	alg.exe
4368	alg.exe
4368	alg.exe
528	alg.exe
528	alg.exe
528	alg.exe
528	alg.exe
3060	alg.exe
3060	alg.exe
3060	alg.exe
3060	alg.exe
3060	alg.exe
3060	alg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 4896	4836	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe	83
PID 4836 wrote to memory of 4896	4836	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe	83
PID 4836 wrote to memory of 4896	4836	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe	83
PID 4836 wrote to memory of 4896	4836	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe	83
PID 4836 wrote to memory of 4896	4836	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe	83
PID 4836 wrote to memory of 4896	4836	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe	83
PID 4836 wrote to memory of 656	4836	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe	84
PID 4836 wrote to memory of 656	4836	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe	84
PID 4836 wrote to memory of 656	4836	86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe	84
PID 656 wrote to memory of 3488	656	alg.exe	85
PID 656 wrote to memory of 3488	656	alg.exe	85
PID 656 wrote to memory of 3488	656	alg.exe	85
PID 656 wrote to memory of 3488	656	alg.exe	85
PID 656 wrote to memory of 3488	656	alg.exe	85
PID 656 wrote to memory of 3488	656	alg.exe	85
PID 656 wrote to memory of 1448	656	alg.exe	86
PID 656 wrote to memory of 1448	656	alg.exe	86
PID 656 wrote to memory of 1448	656	alg.exe	86
PID 1448 wrote to memory of 4908	1448	cmd.exe	88
PID 1448 wrote to memory of 4908	1448	cmd.exe	88
PID 1448 wrote to memory of 4908	1448	cmd.exe	88
PID 3488 wrote to memory of 3396	3488	alg.exe	56
PID 3488 wrote to memory of 3396	3488	alg.exe	56
PID 3488 wrote to memory of 3396	3488	alg.exe	56
PID 3488 wrote to memory of 3396	3488	alg.exe	56
PID 1448 wrote to memory of 5020	1448	cmd.exe	99
PID 1448 wrote to memory of 5020	1448	cmd.exe	99
PID 1448 wrote to memory of 5020	1448	cmd.exe	99
PID 5020 wrote to memory of 4388	5020	alg.exe	100
PID 5020 wrote to memory of 4388	5020	alg.exe	100
PID 5020 wrote to memory of 4388	5020	alg.exe	100
PID 5020 wrote to memory of 4388	5020	alg.exe	100
PID 5020 wrote to memory of 4388	5020	alg.exe	100
PID 5020 wrote to memory of 4388	5020	alg.exe	100
PID 5020 wrote to memory of 2036	5020	alg.exe	101
PID 5020 wrote to memory of 2036	5020	alg.exe	101
PID 5020 wrote to memory of 2036	5020	alg.exe	101
PID 2036 wrote to memory of 4832	2036	cmd.exe	103
PID 2036 wrote to memory of 4832	2036	cmd.exe	103
PID 2036 wrote to memory of 4832	2036	cmd.exe	103
PID 4388 wrote to memory of 3396	4388	alg.exe	56
PID 4388 wrote to memory of 3396	4388	alg.exe	56
PID 4388 wrote to memory of 3396	4388	alg.exe	56
PID 4388 wrote to memory of 3396	4388	alg.exe	56
PID 2036 wrote to memory of 4072	2036	cmd.exe	108
PID 2036 wrote to memory of 4072	2036	cmd.exe	108
PID 2036 wrote to memory of 4072	2036	cmd.exe	108
PID 4072 wrote to memory of 3372	4072	alg.exe	109
PID 4072 wrote to memory of 3372	4072	alg.exe	109
PID 4072 wrote to memory of 3372	4072	alg.exe	109
PID 4072 wrote to memory of 3372	4072	alg.exe	109
PID 4072 wrote to memory of 3372	4072	alg.exe	109
PID 4072 wrote to memory of 3372	4072	alg.exe	109
PID 4072 wrote to memory of 2676	4072	alg.exe	110
PID 4072 wrote to memory of 2676	4072	alg.exe	110
PID 4072 wrote to memory of 2676	4072	alg.exe	110
PID 2676 wrote to memory of 3032	2676	cmd.exe	112
PID 2676 wrote to memory of 3032	2676	cmd.exe	112
PID 2676 wrote to memory of 3032	2676	cmd.exe	112
PID 3372 wrote to memory of 3396	3372	alg.exe	56
PID 3372 wrote to memory of 3396	3372	alg.exe	56
PID 3372 wrote to memory of 3396	3372	alg.exe	56
PID 3372 wrote to memory of 3396	3372	alg.exe	56
PID 2676 wrote to memory of 4984	2676	cmd.exe	113

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3396
- C:\Users\Admin\AppData\Local\Temp\86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\86a73a853feb9b75ac1d7bc1c116c8b0_JaffaCakes118.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4896
- - C:\Users\Admin\alg.exe
    C:\Users\Admin\alg.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:656
  - - C:\Users\Admin\alg.exe
      "C:\Users\Admin\alg.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3488
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mmTemp.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 127.0.0.1
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4908
    - - C:\Users\Admin\alg.exe
        
        C:\Users\Admin\alg.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5020
      - C:\Users\Admin\alg.exe
        
        "C:\Users\Admin\alg.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mmTemp.bat
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 127.0.0.1
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4832
        
        C:\Users\Admin\alg.exe
        
        C:\Users\Admin\alg.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Users\Admin\alg.exe
        
        "C:\Users\Admin\alg.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mmTemp.bat
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 127.0.0.1
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3032
        
        C:\Users\Admin\alg.exe
        
        C:\Users\Admin\alg.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4984
        
        C:\Users\Admin\alg.exe
        
        "C:\Users\Admin\alg.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mmTemp.bat
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 127.0.0.1
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2016
        
        C:\Users\Admin\alg.exe
        
        C:\Users\Admin\alg.exe"
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4368
        
        C:\Users\Admin\alg.exe
        
        "C:\Users\Admin\alg.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mmTemp.bat
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 127.0.0.1
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1560
        
        C:\Users\Admin\alg.exe
        
        C:\Users\Admin\alg.exe"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3060
        
        C:\Users\Admin\alg.exe
        
        "C:\Users\Admin\alg.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mmTemp.bat
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 127.0.0.1
        15⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4376
        
        C:\Users\Admin\alg.exe
        
        C:\Users\Admin\alg.exe"
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Users\Admin\alg.exe
        
        "C:\Users\Admin\alg.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mmTemp.bat
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 127.0.0.1
        17⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2272
        
        C:\Users\Admin\alg.exe
        
        C:\Users\Admin\alg.exe"
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Users\Admin\alg.exe
        
        "C:\Users\Admin\alg.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mmTemp.bat
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 127.0.0.1
        19⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autD4E4.tmp

Filesize
56KB

MD5
df2cda14f46180a78444cbe25760e7f8

SHA1
3567cbb5672164eab38ccd55ed4ea31505e07a59

SHA256
e6beaf2cbb389b73af052d3153ce4150cf72d4122e0dddc17f1c615f01bea66e

SHA512
7aac5fd4eac231aea838367712123921670d7f0ad7c22ea9d6e59479468c98899d6166abdf8ceb9fb1e9d6f8c3b00c2d33e43b7fd625ee23261c2b8fde1d988e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmTemp.bat

Filesize
53B

MD5
174e2da75e6dbd2c4651e9e7e1a9b84a

SHA1
71fef96ddfe294ac17589a0dff604f7a0f175487

SHA256
23a4c11a0301577458ed2dce1d940822c4fb7ae8670a80f0354667ac78d8f10e

SHA512
6ad79f3494137d2256576951c61c5b98577e63fb1d24520662ac06d258c351baf8797930a269d45c8e974b5c6046757f686ae46965859550fc656fb459a0657e

Download Submit
C:\Users\Admin\AppData\Roaming\addons.dat

Filesize
24KB

MD5
3a5f96d59226567f61b9351ce862d886

SHA1
8cc9e263e290d884f3d541fffa1ef3258ce6537b

SHA256
4df16ae658deb5fc7bc3b3062ac778ce1ad49fd0fa206ac8cae0bc122c70e823

SHA512
c64870b3deb6d9fef68f4778ebdfb8e4112ad0a72d0f5a743512eeb365e206bb6fbc0e2297580473a1481c2549777b3d07c9fe9f702cba475b4ca330a04274e1

Download Submit
C:\Users\Admin\alg.exe

Filesize
371KB

MD5
86a73a853feb9b75ac1d7bc1c116c8b0

SHA1
dd631d3ea89e1c1cbf5fd2f5404e1676de99a553

SHA256
b7007ab111a128c3423d8efaefadc7c905c55969240782397a2ab971617bb3e4

SHA512
6799ff6e3c10acc4ddc07f04ccc6d291cb9a40556fc442dc3725e174c68249437edb6ba37b9578ea9d75c93ad167b79fa6ad7a24d2b62eebcac20ea90070015d

Download Submit
memory/232-223-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/528-160-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/528-170-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/528-173-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/656-56-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/656-20-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2192-254-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2752-251-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2752-264-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3060-203-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3372-102-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3372-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3396-50-0x00000000FFFD0000-0x00000000FFFD1000-memory.dmp

Filesize
4KB

Download
memory/3396-42-0x00000000FFFF0000-0x00000000FFFF7000-memory.dmp

Filesize
28KB

Download
memory/3488-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3488-39-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3900-131-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3900-143-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3992-220-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3992-234-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4024-201-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4024-190-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4072-105-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4368-163-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4388-85-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4388-83-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4388-73-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4836-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4836-22-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4896-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4896-43-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4896-16-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4896-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4896-13-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4984-134-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/5020-76-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download