Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12/08/2024, 06:28
Static task
static1
Behavioral task
behavioral1
Sample
8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe
-
Size
460KB
-
MD5
8daa8d5d9ee0fbf93fdf60435d60d0d3
-
SHA1
6bab26b5931fb3127ec12c85c311c1aea248d3f6
-
SHA256
927da89a8d07a6c470479e23f8716a960d66ed84388a5c8ac4c752087074feed
-
SHA512
9ebd580fc68b94cfb6f457601c3323ea249285cc84d91fb52d82b785c27b0c48e64b39d41f00180172a53629f203ae7f12d6d572d98901160c49d3d5d99e85b8
-
SSDEEP
12288:rlSt6oIHNOhU5O5TYo4XqTig5GSR9CClDDL:rlSt69HNx6T/5xT
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" iBdqphzke5.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" saipoaq.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation iBdqphzke5.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation 8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe -
Executes dropped EXE 6 IoCs
pid Process 3256 iBdqphzke5.exe 5004 astat.exe 3508 astat.exe 3068 saipoaq.exe 2028 dstat.exe 1672 fstat.exe -
resource yara_rule behavioral2/memory/3508-42-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/3508-45-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/3508-46-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/3508-48-0x0000000000400000-0x000000000040E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /O" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /i" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /x" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /Z" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /B" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /a" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /z" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /h" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /U" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /e" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /M" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /b" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /g" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /o" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /t" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /K" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /n" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /k" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /T" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /J" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /G" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /q" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /F" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /j" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /W" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /f" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /C" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /d" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /Y" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /c" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /u" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /H" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /l" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /P" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /A" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /w" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /E" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /X" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /s" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /S" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /r" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /y" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /D" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /L" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /m" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /X" iBdqphzke5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /V" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /N" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /I" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /Q" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /v" saipoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saipoaq = "C:\\Users\\Admin\\saipoaq.exe /R" saipoaq.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4836 tasklist.exe 4420 tasklist.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5004 set thread context of 3508 5004 astat.exe 99 PID 1672 set thread context of 2752 1672 fstat.exe 114 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language astat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iBdqphzke5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language saipoaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dstat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fstat.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3256 iBdqphzke5.exe 3256 iBdqphzke5.exe 3508 astat.exe 3508 astat.exe 3256 iBdqphzke5.exe 3256 iBdqphzke5.exe 3068 saipoaq.exe 3068 saipoaq.exe 3068 saipoaq.exe 3068 saipoaq.exe 3508 astat.exe 3508 astat.exe 3068 saipoaq.exe 3068 saipoaq.exe 3068 saipoaq.exe 3068 saipoaq.exe 3068 saipoaq.exe 3068 saipoaq.exe 3068 saipoaq.exe 3068 saipoaq.exe 3508 astat.exe 3508 astat.exe 3508 astat.exe 3508 astat.exe 3508 astat.exe 3508 astat.exe 3068 saipoaq.exe 3068 saipoaq.exe 3068 saipoaq.exe 3068 saipoaq.exe 3068 saipoaq.exe 3068 saipoaq.exe 3508 astat.exe 3508 astat.exe 3068 saipoaq.exe 3068 saipoaq.exe 3508 astat.exe 3508 astat.exe 3068 saipoaq.exe 3068 saipoaq.exe 3508 astat.exe 3508 astat.exe 3068 saipoaq.exe 3068 saipoaq.exe 3068 saipoaq.exe 3068 saipoaq.exe 3508 astat.exe 3508 astat.exe 3068 saipoaq.exe 3068 saipoaq.exe 3508 astat.exe 3508 astat.exe 3068 saipoaq.exe 3068 saipoaq.exe 3508 astat.exe 3508 astat.exe 3508 astat.exe 3508 astat.exe 3508 astat.exe 3508 astat.exe 3068 saipoaq.exe 3068 saipoaq.exe 3068 saipoaq.exe 3068 saipoaq.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4836 tasklist.exe Token: SeDebugPrivilege 1672 fstat.exe Token: SeDebugPrivilege 4420 tasklist.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3584 8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe 3256 iBdqphzke5.exe 5004 astat.exe 3068 saipoaq.exe 2028 dstat.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 3584 wrote to memory of 3256 3584 8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe 93 PID 3584 wrote to memory of 3256 3584 8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe 93 PID 3584 wrote to memory of 3256 3584 8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe 93 PID 3584 wrote to memory of 5004 3584 8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe 98 PID 3584 wrote to memory of 5004 3584 8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe 98 PID 3584 wrote to memory of 5004 3584 8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe 98 PID 5004 wrote to memory of 3508 5004 astat.exe 99 PID 5004 wrote to memory of 3508 5004 astat.exe 99 PID 5004 wrote to memory of 3508 5004 astat.exe 99 PID 5004 wrote to memory of 3508 5004 astat.exe 99 PID 5004 wrote to memory of 3508 5004 astat.exe 99 PID 5004 wrote to memory of 3508 5004 astat.exe 99 PID 5004 wrote to memory of 3508 5004 astat.exe 99 PID 5004 wrote to memory of 3508 5004 astat.exe 99 PID 3256 wrote to memory of 3068 3256 iBdqphzke5.exe 100 PID 3256 wrote to memory of 3068 3256 iBdqphzke5.exe 100 PID 3256 wrote to memory of 3068 3256 iBdqphzke5.exe 100 PID 3256 wrote to memory of 1936 3256 iBdqphzke5.exe 102 PID 3256 wrote to memory of 1936 3256 iBdqphzke5.exe 102 PID 3256 wrote to memory of 1936 3256 iBdqphzke5.exe 102 PID 1936 wrote to memory of 4836 1936 cmd.exe 104 PID 1936 wrote to memory of 4836 1936 cmd.exe 104 PID 1936 wrote to memory of 4836 1936 cmd.exe 104 PID 3584 wrote to memory of 2028 3584 8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe 105 PID 3584 wrote to memory of 2028 3584 8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe 105 PID 3584 wrote to memory of 2028 3584 8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe 105 PID 3584 wrote to memory of 1672 3584 8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe 113 PID 3584 wrote to memory of 1672 3584 8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe 113 PID 3584 wrote to memory of 1672 3584 8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe 113 PID 1672 wrote to memory of 2752 1672 fstat.exe 114 PID 1672 wrote to memory of 2752 1672 fstat.exe 114 PID 1672 wrote to memory of 2752 1672 fstat.exe 114 PID 1672 wrote to memory of 2752 1672 fstat.exe 114 PID 3584 wrote to memory of 4852 3584 8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe 116 PID 3584 wrote to memory of 4852 3584 8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe 116 PID 3584 wrote to memory of 4852 3584 8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe 116 PID 4852 wrote to memory of 4420 4852 cmd.exe 118 PID 4852 wrote to memory of 4420 4852 cmd.exe 118 PID 4852 wrote to memory of 4420 4852 cmd.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Users\Admin\iBdqphzke5.exeC:\Users\Admin\iBdqphzke5.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Users\Admin\saipoaq.exe"C:\Users\Admin\saipoaq.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3068
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del iBdqphzke5.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
-
-
C:\Users\Admin\astat.exeC:\Users\Admin\astat.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\astat.exe"C:\Users\Admin\astat.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3508
-
-
-
C:\Users\Admin\dstat.exeC:\Users\Admin\dstat.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2028
-
-
C:\Users\Admin\fstat.exeC:\Users\Admin\fstat.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:2752
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4264,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=1964 /prefetch:81⤵PID:1352
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD587c6498966e3f85fac743c89050aa312
SHA105c165c34cbfa14e4925c33ace81992b0f50a2b5
SHA25630c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5
SHA512740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420
-
Filesize
36KB
MD5b6da847084e39e0cecf175c32c91b4bb
SHA1fbfd9494fabed5220cdf01866ff088fe7adc535b
SHA256065781e8a55cf59cb926d5950e0039e19b50b1e081023404fbff4d7a32fc9cbe
SHA51259d372ea36904cd48c99f2f34740c22004b35c5e5dada2417813b0463292af19e4aa5ba4552cc443da373e40ba03a1f7906019a567806806f5972c202a31d9d2
-
Filesize
271KB
MD534353cf7e1d1b10bcbbcae0745110535
SHA12fb471681daac6f6d66477b7772025da4f58c508
SHA256b2d7a66e2d10d8943e48d6f3ad75237ff379e82ab0101a620406c4569be1d959
SHA5127404f82abfabd21d6f2a88b55f6f0ff886bb0a1f16a9d45c6883d74daa26451f862a10a78646c549c3a3264ba4bd9fb44949d470493af895973dd05a0ec311e6
-
Filesize
244KB
MD5a4cdb62cf4866a17e742e7e9cc73d237
SHA130d94f8e872455ac569949ac4c768d0a0cdfbba7
SHA256c741d649bf5b72fbe97470820ce994ce29b153baae14af10c3a2a9adc3098b32
SHA512c4447f95565d3e5dc0ef7712382325280bedf127ac682f85f4043b586afb4188633f2c73277595eb31fe45d992107492f42c82a71f448286a9cb8fac4bfb3671
-
Filesize
244KB
MD50d1678919e754462d62e562116c2013e
SHA1d7e885860a19c491f545ac84980865f1e90b8fb5
SHA2564f8f14929c30302a685b4c4d20955ddc3d2b581f75929beae4e4e42fe6afe0ac
SHA512ed2ab2d4fe2ca78c3ad4dfbdb727c41fb70e5251291f6ebcb5a055ceeb41e19112049a03046d70371dde8bd5816f6ddeab6a21d03f524154d55da213bef94cdd