Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 18:27
Static task
static1
Behavioral task
behavioral1
Sample
9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe
-
Size
457KB
-
MD5
9b24f78266073aed6e00462cb31756e2
-
SHA1
603e0d50a9b9464a0a7d70dd0bfb06191918ea6e
-
SHA256
f8c4d7333771ba91143b8122fe3b8a20b624efc6f2ed9a9899bde7d025518433
-
SHA512
3fe6b0af07cd3b4661c3d84003c5b6d644727ad2826e273875f9f01aad4bb8bfc7eef7f02087c0dd5aa5d5c64797721dabfddae6ce6bedb83969fc64c6c845fe
-
SSDEEP
6144:2w9MMg9RwSjLLag2UmGaUtMulLE6raZIMHJJmVLxIyvTTYRP0mCiiggprtQglW+9:f9MblXeU7tMuMHrwLne8d/gopQgYxCm
Malware Config
Extracted
cybergate
2.6
vítima
six17.no-ip.biz:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Svchost
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Svchost\\Svchost.exe" vbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Svchost\\Svchost.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
vbc.exevbc.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5W635MC-76M6-FLUM-0BL4-623A554WR36V} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5W635MC-76M6-FLUM-0BL4-623A554WR36V}\StubPath = "C:\\Windows\\system32\\Svchost\\Svchost.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5W635MC-76M6-FLUM-0BL4-623A554WR36V} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5W635MC-76M6-FLUM-0BL4-623A554WR36V}\StubPath = "C:\\Windows\\system32\\Svchost\\Svchost.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5W635MC-76M6-FLUM-0BL4-623A554WR36V} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5W635MC-76M6-FLUM-0BL4-623A554WR36V}\StubPath = "C:\\Windows\\system32\\Svchost\\Svchost.exe" explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
Svchost.exepid process 3056 Svchost.exe -
Processes:
resource yara_rule behavioral2/memory/2564-20-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/1556-85-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/1556-272-0x0000000024080000-0x00000000240E2000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
vbc.exe9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Svchost\\Svchost.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Svchost\\Svchost.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "C:\\Users\\Admin\\AppData\\Roaming\\zkHrWvUYWU.exe" 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe -
Drops file in System32 directory 6 IoCs
Processes:
vbc.exevbc.exevbc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Svchost\ vbc.exe File created C:\Windows\SysWOW64\Svchost\Svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\Svchost\Svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\Svchost\Svchost.exe vbc.exe File created C:\Windows\SysWOW64\Svchost\Svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\Svchost\Svchost.exe vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exedescription pid process target process PID 1468 set thread context of 2564 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 4520 set thread context of 4976 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1672 4880 WerFault.exe vbc.exe 4712 4880 WerFault.exe vbc.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
vbc.exeexplorer.exevbc.exevbc.exevbc.exeSvchost.exe9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe -
Modifies registry class 1 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exevbc.exevbc.exepid process 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 2564 vbc.exe 2564 vbc.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4976 vbc.exe 4976 vbc.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 2560 vbc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exevbc.exedescription pid process Token: SeDebugPrivilege 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe Token: SeDebugPrivilege 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe Token: SeDebugPrivilege 2560 vbc.exe Token: SeDebugPrivilege 2560 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 2564 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exevbc.exedescription pid process target process PID 1468 wrote to memory of 2564 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 1468 wrote to memory of 2564 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 1468 wrote to memory of 2564 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 1468 wrote to memory of 2564 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 1468 wrote to memory of 2564 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 1468 wrote to memory of 2564 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 1468 wrote to memory of 2564 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 1468 wrote to memory of 2564 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 1468 wrote to memory of 2564 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 1468 wrote to memory of 2564 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 1468 wrote to memory of 2564 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 1468 wrote to memory of 2564 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 1468 wrote to memory of 2564 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 1468 wrote to memory of 4520 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe PID 1468 wrote to memory of 4520 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe PID 1468 wrote to memory of 4520 1468 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe PID 4520 wrote to memory of 4976 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 4520 wrote to memory of 4976 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 4520 wrote to memory of 4976 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 4520 wrote to memory of 4976 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 4520 wrote to memory of 4976 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 4520 wrote to memory of 4976 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 4520 wrote to memory of 4976 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 4520 wrote to memory of 4976 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 4520 wrote to memory of 4976 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 4520 wrote to memory of 4976 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 4520 wrote to memory of 4976 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 4520 wrote to memory of 4976 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 4520 wrote to memory of 4976 4520 9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe vbc.exe PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE PID 2564 wrote to memory of 3392 2564 vbc.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1668
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2560 -
C:\Windows\SysWOW64\Svchost\Svchost.exe"C:\Windows\system32\Svchost\Svchost.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2_JaffaCakes118.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4976 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:444
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"5⤵
- System Location Discovery: System Language Discovery
PID:4880 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 9486⤵
- Program crash
PID:1672 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 9846⤵
- Program crash
PID:4712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4880 -ip 48801⤵PID:1144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4880 -ip 48801⤵PID:3908
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD51ef6cae3f52a3803b36ca70da09bee3d
SHA14545b14691be5e189f9436a45d4ddd9dd7fa3609
SHA25641c2b2fc8b65d8f67ac2174e31a7052b1657e5bf2ef16ef041d9d6d27cb4a608
SHA512fd69aff563f36a2b073ccd41a09fc848a1c01a004ed2fdc626a348fafc6ab84e68c8679607e315e390337295c924dbe80e027c1bb7ea0e3b8ba7666b7e3fcf70
-
Filesize
8B
MD5aed62ff7f1eb43cc7bd704a77e31a6de
SHA1a20d88f3f92a90c1e747ccc22d8600ef0e52d3ea
SHA2561833965030b64288cca4501015ef32170a8e466f6295c9cefd7aa1bccd61d70d
SHA51261cf14e2203fbbdec1dd95536ff8c2477a16a9ae453071d832e4dcca8de0dca6681b223b06353d3e63874acf1031bda8437b5df2f7c98566b5f6d6c8f1a9ab12
-
Filesize
8B
MD5362b5a497c5c116edef43e8c5d961b54
SHA196697a8d25c8937441daba3ae06b9cc54fa673bd
SHA2565f003b95e2a7074019011664b20bee944c311021f5d46c60e06b7b3471a440ae
SHA512cbabecc176fb10fa20f143c711ec0889938d38c16324433fed6460b5c99b68ca9a853957db52a6dc90a694a7eb9e8cc627df6aa352c1a2ac3e7843ac42faa229
-
Filesize
8B
MD55f6c13afd068c928787beb636113dc78
SHA10831889243db3e1c1b87956c1072c4236cf4c634
SHA25601e42db04a65ff7c562f59792caeb270c98f6e9592411ad9700887336b6d8564
SHA512bac1079546a9e6d015050619b1ce488a35b6db99f6656fda436500701e9f8b3e01bee9fbbfc36831f93be20fabd3b7eb43081129983ad54af57f5131a18afe4f
-
Filesize
8B
MD505d3eb2a0d519b83fa83286506c75284
SHA1b03a49e991740cfb0330c0f29168361d8c8843e4
SHA2561cbfd3f7f3de7b157451727de9389677d463993f7da32c628cfdcdede89765b4
SHA512e8ea2d5bb67a7d5ced646a33ab9bfd16af2c4815d849b54822b54d522ff43440ee1c463811cd9a95776eb21e5842d44c713f59d661e845c8c78da1922c210dea
-
Filesize
8B
MD5869d45962696e0352f66d0f591574fe5
SHA1d913f212a5d09d393d588bf298d2a73df71af9e8
SHA25609e9c87bb7066f646c49f2d0764bb3c8dfc2ca20b7088d0d8d168ed540971db3
SHA51215c96dc0a6dee0c2d67b51edc681a6c5c9872606703b4d36b85bc2ae96a98224828ae05163172462173ee670e62414ff951a82ae0e53fba68ebed6a8cd9b8272
-
Filesize
8B
MD5b761f1c19e4310b4a540afdd7cf57e96
SHA18490a06e916d87220701bd9178909b612daf6d5a
SHA256f957e8ddadbc0a872a9cb1ea1b7843ee59563644d10f69d3035edf0592df77a2
SHA5126b289e66fcbc7a07ea27dace57cc1bf31321bf88a2a2ca3b1b3daf16efd76b71c3c75f8ffeb6305873f76eaaabc88bc00ee05cf0a7a44ade3d6dbc8f25b59fcf
-
Filesize
8B
MD52dae94114460b7633790869e8f0edeb4
SHA1b52df1b13adca9a3e7fff9b5f1b2e23c353c3737
SHA256520b89a1fe113ce7072626f19a1073bf8acb8faaf488563541f06726d92f2a7b
SHA5124bf1663dd8eca9d88dcf193f334edc18c637de31b2c73ef69ff775369088429f6ec7f1eae7f6771191d66f7b115220beedc38aedb75cf645b488d4a20c58b6db
-
Filesize
8B
MD5dd5fba7facbfd191b931badcdecb7727
SHA18657f65d03e939410a8da527384ced81fa1cda64
SHA2565cbc5abb9e36da6dbdd017d45a00be4203fa545e368188910ddef0183b6f3962
SHA5125a3005d6c1e8b4ed9d1dd918038df763e0f7f3ff815977be4c9841f48342e30c30283ae6b1e94beeb581b3577b129b0b6c3f350bea7c65ac01735ca49fb77959
-
Filesize
8B
MD5de7bff1e2ad340d86d9f0180ceda104b
SHA1b76a1f8db89e0de96aaf8f78022645f32ee33cc7
SHA2566d12ca435830195d732ad4b6686e7342473cf6251b13f3a4b74df0c9b8fa2416
SHA51283acbf5b4edb531f700b8e2237ce3beda6d2e61119b4d58306c8298e88ce700674ef4afe79e621bb8698ab3b202f41c10d5240c4ec492b6b109287142d1e06ce
-
Filesize
8B
MD5c12ae814b9a5edd761f86377f6c7d474
SHA12aa61eb93fdcd4e1442ccdde3dc5def2b17d65c0
SHA256d7791a15872f8170b8c4e5df3db30c66214e905b94e13c23259b463034e2b588
SHA51249a8651e7c82877f3695c1e0d98a36036453585a7fa0550216211bbc8e30f0a0608677fc027ffdb8ee7a807ef4a92317d6984c108f0877fbfffd70ea7d8566a0
-
Filesize
8B
MD5493c08d0e3fa67f7cdb3b1ffa0cb29c9
SHA1907694aea8da190c6593c191f245b6b152bb4eaa
SHA2566fed762c249fd2d1257a67e60356b4ca5302123f678121810d97707831c89188
SHA51223e47a7973ba96efb8ae2fc76f4c2a0ee1d2ab53fa979eaca143df2f006f27cb43943999be08eec5a435e78a07ba9b2aef1b4f1d4383140834081cb7cf7589e8
-
Filesize
8B
MD5c257e217d724928b76da00c9cda7b0f5
SHA121b422486008cbaa20b2aa3a04950c29ef68029c
SHA2565a6e3a319e85b25e69ff7f2cb1bd6792857f5be40fde8d5b9694dbaeea8f4cbf
SHA51229335d79fca42f3c46079ab3e72b47957580e44b0da13bb1b28d3ff94bd2aef96d0a1cba6634cef391d29697af6b3071d5147ddf48f443eace98f75c501df4b4
-
Filesize
8B
MD541fecd568c4dac28e5ff48e988928a57
SHA1b4c491986384f4c6ba3009bc7a4a93a46d4354f7
SHA2560f081b0e5780789f81aa5b654013c9f5fb22868e93691d9f123d00a2d17897d9
SHA512a671cda55af1f02f1744835f0d9e9b25c7dffe36cce56173ccdba1d07c6c8d8d7585aa0ca759af12c9a60cf26a102d442c5f0b963e0e6ed0bcfdd61398e45dd1
-
Filesize
8B
MD5ca978e5a2bcd715dbcc8573188ac48e4
SHA186c82ab3eb6c593928d9048b0eaf430d428defcd
SHA256b4a4d6ed1b8df9d9b1185f6a83ff1b1746f7782d3584a4472dbb0e5024d88a9e
SHA512999e444cabf21f25b0492edc2ce31d4f558a89efd45fa95a14d4345c0e52664a8c6429c364c521297184888f0a43c72c2aba6bed6be635e40ffb641ea56eebf1
-
Filesize
8B
MD55177c8b800bcdaee8cf66fd3f7dea094
SHA16169d6a18c4ccf61a8599a239065a22900c918cf
SHA256dd644ab1e1a764b3a749841d7d5d0cb7bafab606156e5955f219f980e582f9cc
SHA512c06f579ceccb5bacc9d144b1edb7dd93a65b25bcffc211b44578971dd1335d153386042231f2e75ac6552f71ea917eabed0b0f4c6435f4117f684054fc51e79b
-
Filesize
8B
MD5a656477bd5db2fc9c4e65d45ee16cc7f
SHA1eafe3b2d9ed43f0e2c9d21fc7036619015bbe345
SHA2566e4dd3dbbd7c76cfa4ccc49e20929d609ddc9453d8e8c3c46586990d7e182caf
SHA512f93c84d9f8f38b08c8f526c3dab4257ee3a3e1eb06df7fbc5f1c6a5521ce34995de75b541df7d6768243ce2895519bbd217e81dc9180b86c8252509496b23657
-
Filesize
8B
MD52f245389c3e668a492d46c115b1ca03f
SHA104e9fcab4f56ea96179ece0caa0099e98c0def25
SHA2561dbe135a0cf338179e4cb2c7d13ce67ea1fac3657ac9f67d381eac454f0e855c
SHA512cb4575d6924e78c60981aea2030db8ebbc89964a9fd1803ab5eaef32703fe68fa8e0f0945a324d4fe3f1d0a021bbcdc281adf051191d60257be72fc302c20ada
-
Filesize
8B
MD546c6e91e6b8ea15209f5a1b897ab0868
SHA168f1d85a36e5dab2d559da3d5e2d4f3013ac7662
SHA256b7239b980df9795fec9c200379e893b5f5fbcec906646158e64035988e4a7f87
SHA512b430bcfaa050bdeb7ba825861d0a4a8ee219bee13ca90058fee66ffbf13f382e25ca94e6252a7e84e9e8898cad88a51705f2424ff912e8d98074e5495346650e
-
Filesize
15B
MD5e21bd9604efe8ee9b59dc7605b927a2a
SHA13240ecc5ee459214344a1baac5c2a74046491104
SHA25651a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA51242052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493
-
Filesize
457KB
MD59b24f78266073aed6e00462cb31756e2
SHA1603e0d50a9b9464a0a7d70dd0bfb06191918ea6e
SHA256f8c4d7333771ba91143b8122fe3b8a20b624efc6f2ed9a9899bde7d025518433
SHA5123fe6b0af07cd3b4661c3d84003c5b6d644727ad2826e273875f9f01aad4bb8bfc7eef7f02087c0dd5aa5d5c64797721dabfddae6ce6bedb83969fc64c6c845fe
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34