d70e2278bb0367a9575e79f64c6da48747d4d04bda602ea309099df2150262be

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5cfa3299a49dfd7ee7eb96729fdb425_JaffaCakes118.exe
Size

761KB
MD5

a5cfa3299a49dfd7ee7eb96729fdb425
SHA1

600ddc6eae1969f94bc73f85c21adcb22c57d001
SHA256

d70e2278bb0367a9575e79f64c6da48747d4d04bda602ea309099df2150262be
SHA512

ea1eef43593fed867006f394f1eb1c4ccc0c6f5f36b371458900a104b87ba462fca725868aaea1040dbc19b9288f980ac0bb02f99ec4796dfd15bfe62e200d0d
SSDEEP

12288:h68eX1y8qpm5yy30WyUokkJ1wAxGW7hCaOoWsvTQVgEPvN888888888888W8888E:IrXsBpPw4rVbWs8VgEP

Score

10^/10

discovery evasion persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\System. = "C:\\ProgramData\\WindowsUpdate\\System\\Isass.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\win32 = "C:\\Documents and Settings\\All Users\\WindowsUpdate\\Microsoft windows\\WindowsUpdate.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4904	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	a5cfa3299a49dfd7ee7eb96729fdb425_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Windll64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WindowsUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Windll32.exe

Executes dropped EXE 4 IoCs

pid	Process
3596	Windll32.exe
1396	Windll64.exe
4288	WindowsUpdate.exe
3524	Isass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5cfa3299a49dfd7ee7eb96729fdb425_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windll64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	PaintStudio.View.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	PaintStudio.View.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	PaintStudio.View.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	PaintStudio.View.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	PaintStudio.View.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheVersion = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\MuiCache	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheVersion = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheVersion = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	a5cfa3299a49dfd7ee7eb96729fdb425_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3724	PaintStudio.View.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1204	mspaint.exe
1204	mspaint.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3724	PaintStudio.View.exe
Token: SeDebugPrivilege	3724	PaintStudio.View.exe
Token: SeDebugPrivilege	3724	PaintStudio.View.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1204	mspaint.exe
4288	WindowsUpdate.exe
3724	PaintStudio.View.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 1204	4716	a5cfa3299a49dfd7ee7eb96729fdb425_JaffaCakes118.exe	84
PID 4716 wrote to memory of 1204	4716	a5cfa3299a49dfd7ee7eb96729fdb425_JaffaCakes118.exe	84
PID 4716 wrote to memory of 1204	4716	a5cfa3299a49dfd7ee7eb96729fdb425_JaffaCakes118.exe	84
PID 4716 wrote to memory of 3596	4716	a5cfa3299a49dfd7ee7eb96729fdb425_JaffaCakes118.exe	85
PID 4716 wrote to memory of 3596	4716	a5cfa3299a49dfd7ee7eb96729fdb425_JaffaCakes118.exe	85
PID 4716 wrote to memory of 3596	4716	a5cfa3299a49dfd7ee7eb96729fdb425_JaffaCakes118.exe	85
PID 4716 wrote to memory of 1396	4716	a5cfa3299a49dfd7ee7eb96729fdb425_JaffaCakes118.exe	86
PID 4716 wrote to memory of 1396	4716	a5cfa3299a49dfd7ee7eb96729fdb425_JaffaCakes118.exe	86
PID 4716 wrote to memory of 1396	4716	a5cfa3299a49dfd7ee7eb96729fdb425_JaffaCakes118.exe	86
PID 1396 wrote to memory of 4288	1396	Windll64.exe	89
PID 1396 wrote to memory of 4288	1396	Windll64.exe	89
PID 1396 wrote to memory of 4288	1396	Windll64.exe	89
PID 4288 wrote to memory of 2428	4288	WindowsUpdate.exe	93
PID 4288 wrote to memory of 2428	4288	WindowsUpdate.exe	93
PID 4288 wrote to memory of 2428	4288	WindowsUpdate.exe	93
PID 2428 wrote to memory of 1688	2428	cmd.exe	96
PID 2428 wrote to memory of 1688	2428	cmd.exe	96
PID 2428 wrote to memory of 1688	2428	cmd.exe	96
PID 3596 wrote to memory of 3524	3596	Windll32.exe	99
PID 3596 wrote to memory of 3524	3596	Windll32.exe	99
PID 3596 wrote to memory of 3524	3596	Windll32.exe	99
PID 3524 wrote to memory of 1556	3524	Isass.exe	107
PID 3524 wrote to memory of 1556	3524	Isass.exe	107
PID 3524 wrote to memory of 1556	3524	Isass.exe	107
PID 1556 wrote to memory of 4904	1556	cmd.exe	109
PID 1556 wrote to memory of 4904	1556	cmd.exe	109
PID 1556 wrote to memory of 4904	1556	cmd.exe	109
PID 3524 wrote to memory of 1396	3524	Isass.exe	110
PID 3524 wrote to memory of 1396	3524	Isass.exe	110
PID 3524 wrote to memory of 1396	3524	Isass.exe	110
PID 1396 wrote to memory of 4232	1396	cmd.exe	112
PID 1396 wrote to memory of 4232	1396	cmd.exe	112
PID 1396 wrote to memory of 4232	1396	cmd.exe	112
PID 1396 wrote to memory of 5072	1396	cmd.exe	113
PID 1396 wrote to memory of 5072	1396	cmd.exe	113
PID 1396 wrote to memory of 5072	1396	cmd.exe	113

C:\Users\Admin\AppData\Local\Temp\a5cfa3299a49dfd7ee7eb96729fdb425_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5cfa3299a49dfd7ee7eb96729fdb425_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\SysWOW64\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\untitled.JPG" /ForceBootstrapPaint3D
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1204
- C:\Users\Admin\AppData\Local\Temp\Windll32.exe
  "C:\Users\Admin\AppData\Local\Temp\Windll32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\ProgramData\WindowsUpdate\System\Isass.exe
    "C:\ProgramData\WindowsUpdate\System\Isass.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c netsh firewall set opmode DISABLE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1556
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode DISABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4904
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Public\lpt1\driver.bat"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1396
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD \\.\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v System. /t REG_SZ /d "C:\ProgramData\WindowsUpdate\System\Isass.exe" /f
        5⤵
        Adds policy Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4232
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD \\.\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5072
- C:\Users\Admin\AppData\Local\Temp\Windll64.exe
  "C:\Users\Admin\AppData\Local\Temp\Windll64.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Documents and Settings\All Users\WindowsUpdate\Microsoft windows\WindowsUpdate.exe
    "C:\Documents and Settings\All Users\WindowsUpdate\Microsoft windows\WindowsUpdate.exe" /start
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD \\.\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v win32 /t REG_SZ /d "C:\Documents and Settings\All Users\WindowsUpdate\Microsoft windows\WindowsUpdate.exe" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD \\.\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v win32 /t REG_SZ /d "C:\Documents and Settings\All Users\WindowsUpdate\Microsoft windows\WindowsUpdate.exe" /f
        5⤵
        Adds policy Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1688

C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsUpdate\Microsoft windows\WindowsUpdate.exe

Filesize
140KB

MD5
67bc4ab7940e15c0de066cff9814860d

SHA1
63549930f5d3d25136d381c77fd321489ecd95ba

SHA256
dac0c50748938582956d597352c3c6f1063fa11c149b24e0766e8d4d94463baf

SHA512
eea2f476ab45ea5a04f1859373cae64c008221eaf14c3f7b8cda7ad261c41b7553b2e4466cec03b6a3faee5b73c71dc16a1951347511fc82bcac2363ec15422f

Download Submit
C:\ProgramData\WindowsUpdate\System\Isass.exe

Filesize
200KB

MD5
28faddcd0c9f6fae3b247ca42522c9a8

SHA1
3cbf67857093b41edbca597f66804a10cc3fde21

SHA256
6effed9165d3da9aa21d885dd132ba56097f3b943ce8b0506a7b584874139b49

SHA512
02f10dc090196f2ffdfcf6aee536ecbc11f865f4267ce7a2bc88b11d2c0b491cf65d67c9dd8e8187e01060bb711cb01b8bc814504aa16b35a2a6e981cf660e0f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
242B

MD5
f5871e1026ae60de4da040fa1b6879b8

SHA1
d4160f1cf8eb2e122ed79e1e04fc39081e6c77b3

SHA256
c65e118b224661c1c1fedf008795e025d669e8f5c1744fd9ee13900f4b2d35c2

SHA512
5edcc6d00511c008319f0b01fb46ca009f9d9fae41e12ba990790c6964f03ce068c720b82f242c5b22308324c308b999fde8fa02ea368619d1bd7a5fa9a88864

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json

Filesize
2KB

MD5
f4e4a03ebd0ab3a953c56a300d61d223

SHA1
97a9acf22c3bdd6989d7c120c21077c4d5a9a80e

SHA256
52bfb22aa2d7b0ce083d312fb8fa8dcda3063207186f99fc259aebd9064cbedc

SHA512
12aa71eea45720a4d7d057da0b662635671e4cd165ad2e0d30a3d2a43950b47dd60c26c1bbbe049418f815850e571b8d93e4c8b8cbbd686abc3cf7926ba719c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\Configurations.ini

Filesize
111B

MD5
3f80399610772b8a6908c78a13cb58d3

SHA1
2c95c425e72529cea677dd9d98cb532c9b538884

SHA256
63f0d38852f92a72d45ed4e26ab2ee135961d9ed7a8c4b48a004ea037bc25394

SHA512
aa81ad3f030a1357cd1b1deedc225d0f0fbc5a944dc6f207861d0c11321d8db24a419175d5a6d46cd94615e3b029c089348ef7e59626079c3493c95c1af7d81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windll32.exe

Filesize
200KB

MD5
9da887f6dd2398ba940e5cc1a145f9cd

SHA1
df66ab8022953c7cefc11b92ac24ffb223daa4f8

SHA256
55e900eca9eb5b0f57879ea43e435c968e0940ff0d7df41d9db408f88a94e8d6

SHA512
11ae411c13f6124ddcfb3e55b1b1fa3ff525b87abe6da64b9bb15ec34f8adda87715abee82886a2840e40cabfbcd8d7580f003f7e7636d70870006175489c630

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windll64.exe

Filesize
140KB

MD5
71ebdaa1e463475fab2350ad9c8906ca

SHA1
346a46cdf83dff9231ba84594fa82849d6dff5b1

SHA256
85e8cd6cf68c947e75986dd515a1843baac44eec1b8d9edc34c69bdade217ba0

SHA512
a6a44409aed43ea4c122b181099acd85c9f3113e4db29b7d636fd3daafcc783d12e0b74ff9e65ced5c815ccbe0efa9b6ab63f770f5cf5e1dc3513712fae65fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\untitled.JPG

Filesize
279KB

MD5
ad8c5461df29e9175c1ca3629bed613b

SHA1
50293071099358ee80e85f57bafa579580c45498

SHA256
1b8a2d4275a294b1c401ec4512d48ca8e54ece4ce77e0ea9ff08fd232b59b9b2

SHA512
9caf58830ee7592c4b99bd8c48d477c4fd9f572814668feaae7bf2698a7f1262690af61c4e4f422ecf74a9245d6b86cadbce02a053f2afa0449227fcdaf3fa4c

Download Submit
C:\Users\Public\lpt1\driver.bat

Filesize
279B

MD5
6651540aa8e830270ee77f0082f1d0ae

SHA1
046c18c94d9f1813e59cfcb207003ed791a7bd05

SHA256
16b94927b71f3acd07d4afb1fa5540a016c457c59638a19d8b4c947042465a7f

SHA512
03a906efc33b9d89a994b028875e22787696a6398a505da454478c2920f8316242f87b7aee6c6c941aef97c969f8a9b34741e098c35098bde870777c57cff704

Download Submit
memory/4716-33-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download