Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 05:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
23 signatures
150 seconds
Behavioral task
behavioral2
Sample
a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
23 signatures
150 seconds
General
-
Target
a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe
-
Size
680KB
-
MD5
a9c23eddb8ccb3008ef6dcf7500dc833
-
SHA1
14440dd1c9dcb5ee0aafacd4fa6e4457ac8bf1da
-
SHA256
70fa8d9e6b819e18967b7e4d8a7fc50030800c9427d66b657dda837a0a434052
-
SHA512
415d65be32ee25d5b1e1676e005bbb315aced8597e11038c5bcaae0541b15715767bc72f7a22e17eacc0eb1436a04204c6df51344df34a1ad1a2b3b51d65403e
-
SSDEEP
12288:qClephVMo7IYJAB++2RrxRAjbeNC2v+clES+vYOqH:fOhKpYyB/MrxRAZMES+b+
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile svcnost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications svcnost.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\x3wvvuugpgaveju1d1adbxjiyhx22kgy2\svcnost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\x3wvvuugpgaveju1d1adbxjiyhx22kgy2\\svcnost.exe:*:Enabled:ldrsoft" svcnost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List svcnost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" GFW6ssUz.exe Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xiliv.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts 4kaq.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation GFW6ssUz.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe -
Executes dropped EXE 12 IoCs
pid Process 1256 GFW6ssUz.exe 3744 xiliv.exe 3376 2kaq.exe 4108 2kaq.exe 1764 2kaq.exe 3096 2kaq.exe 1728 2kaq.exe 1900 2kaq.exe 1280 3kaq.exe 316 X 4840 4kaq.exe 1240 svcnost.exe -
Loads dropped DLL 2 IoCs
pid Process 1240 svcnost.exe 1240 svcnost.exe -
resource yara_rule behavioral2/memory/4108-52-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/1764-53-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/4108-50-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/4108-47-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/1764-59-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/1764-58-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/1764-61-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/3096-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3096-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3096-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1728-68-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/1728-66-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/1728-64-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/4108-84-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/files/0x0007000000023451-89.dat upx behavioral2/memory/4840-91-0x0000000000400000-0x0000000000B19000-memory.dmp upx behavioral2/memory/1728-96-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/3096-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1240-97-0x0000000000400000-0x0000000000B19000-memory.dmp upx behavioral2/memory/4840-100-0x0000000000400000-0x0000000000B19000-memory.dmp upx behavioral2/memory/1240-120-0x0000000000400000-0x0000000000B19000-memory.dmp upx -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 31.193.3.240 Destination IP 31.193.3.240 -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /T" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /x" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /I" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /o" GFW6ssUz.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /S" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /P" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /t" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /L" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /R" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /d" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /X" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /s" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /B" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /O" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /V" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /C" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /q" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /G" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /F" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /z" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /j" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /J" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /w" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /k" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /r" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /H" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /i" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /N" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /g" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /e" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /M" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /v" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /a" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /p" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /Y" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /b" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /f" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /D" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /l" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /y" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /W" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Init = "\"C:\\Users\\Admin\\AppData\\Roaming\\x3wvvuugpgaveju1d1adbxjiyhx22kgy2\\svcnost.exe\"" 4kaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /K" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /U" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /m" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /Z" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /E" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /A" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /h" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /Q" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /c" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /o" xiliv.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiliv = "C:\\Users\\Admin\\xiliv.exe /n" xiliv.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\desktop.ini svcnost.exe File opened for modification C:\Users\Admin\AppData\Roaming\desktop.ini svcnost.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2kaq.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 2kaq.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 3824 tasklist.exe 4612 tasklist.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 3376 set thread context of 4108 3376 2kaq.exe 96 PID 3376 set thread context of 1764 3376 2kaq.exe 97 PID 3376 set thread context of 3096 3376 2kaq.exe 98 PID 3376 set thread context of 1728 3376 2kaq.exe 100 PID 3376 set thread context of 1900 3376 2kaq.exe 101 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3212 1900 WerFault.exe 101 -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2kaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GFW6ssUz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcnost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2kaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2kaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3kaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xiliv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4kaq.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\SavedLegacySettingsML = 383535363932323131 svcnost.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry svcnost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1256 GFW6ssUz.exe 1256 GFW6ssUz.exe 1256 GFW6ssUz.exe 1256 GFW6ssUz.exe 1764 2kaq.exe 1764 2kaq.exe 3096 2kaq.exe 3096 2kaq.exe 1280 3kaq.exe 1280 3kaq.exe 316 X 316 X 3744 xiliv.exe 3744 xiliv.exe 3744 xiliv.exe 3744 xiliv.exe 3096 2kaq.exe 3096 2kaq.exe 1764 2kaq.exe 1764 2kaq.exe 3744 xiliv.exe 3744 xiliv.exe 3744 xiliv.exe 3744 xiliv.exe 4840 4kaq.exe 4840 4kaq.exe 3744 xiliv.exe 3744 xiliv.exe 3744 xiliv.exe 3744 xiliv.exe 1764 2kaq.exe 1764 2kaq.exe 3744 xiliv.exe 3744 xiliv.exe 1764 2kaq.exe 1764 2kaq.exe 1764 2kaq.exe 1764 2kaq.exe 3744 xiliv.exe 3744 xiliv.exe 3744 xiliv.exe 3744 xiliv.exe 3744 xiliv.exe 3744 xiliv.exe 1764 2kaq.exe 1764 2kaq.exe 1764 2kaq.exe 1764 2kaq.exe 3744 xiliv.exe 3744 xiliv.exe 1764 2kaq.exe 1764 2kaq.exe 3744 xiliv.exe 3744 xiliv.exe 3744 xiliv.exe 3744 xiliv.exe 1764 2kaq.exe 1764 2kaq.exe 3744 xiliv.exe 3744 xiliv.exe 1764 2kaq.exe 1764 2kaq.exe 3744 xiliv.exe 3744 xiliv.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 3824 tasklist.exe Token: SeDebugPrivilege 1280 3kaq.exe Token: SeDebugPrivilege 1280 3kaq.exe Token: SeShutdownPrivilege 3492 Explorer.EXE Token: SeCreatePagefilePrivilege 3492 Explorer.EXE Token: SeShutdownPrivilege 3492 Explorer.EXE Token: SeCreatePagefilePrivilege 3492 Explorer.EXE Token: SeShutdownPrivilege 3492 Explorer.EXE Token: SeCreatePagefilePrivilege 3492 Explorer.EXE Token: SeShutdownPrivilege 3492 Explorer.EXE Token: SeCreatePagefilePrivilege 3492 Explorer.EXE Token: SeDebugPrivilege 4612 tasklist.exe Token: SeShutdownPrivilege 3492 Explorer.EXE Token: SeCreatePagefilePrivilege 3492 Explorer.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3416 a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe 1256 GFW6ssUz.exe 3744 xiliv.exe 3376 2kaq.exe 4108 2kaq.exe 1728 2kaq.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3492 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3416 wrote to memory of 1256 3416 a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe 87 PID 3416 wrote to memory of 1256 3416 a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe 87 PID 3416 wrote to memory of 1256 3416 a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe 87 PID 1256 wrote to memory of 3744 1256 GFW6ssUz.exe 92 PID 1256 wrote to memory of 3744 1256 GFW6ssUz.exe 92 PID 1256 wrote to memory of 3744 1256 GFW6ssUz.exe 92 PID 3416 wrote to memory of 3376 3416 a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe 93 PID 3416 wrote to memory of 3376 3416 a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe 93 PID 3416 wrote to memory of 3376 3416 a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe 93 PID 1256 wrote to memory of 1044 1256 GFW6ssUz.exe 94 PID 1256 wrote to memory of 1044 1256 GFW6ssUz.exe 94 PID 1256 wrote to memory of 1044 1256 GFW6ssUz.exe 94 PID 3376 wrote to memory of 4108 3376 2kaq.exe 96 PID 3376 wrote to memory of 4108 3376 2kaq.exe 96 PID 3376 wrote to memory of 4108 3376 2kaq.exe 96 PID 3376 wrote to memory of 4108 3376 2kaq.exe 96 PID 3376 wrote to memory of 4108 3376 2kaq.exe 96 PID 3376 wrote to memory of 4108 3376 2kaq.exe 96 PID 3376 wrote to memory of 4108 3376 2kaq.exe 96 PID 3376 wrote to memory of 4108 3376 2kaq.exe 96 PID 3376 wrote to memory of 1764 3376 2kaq.exe 97 PID 3376 wrote to memory of 1764 3376 2kaq.exe 97 PID 3376 wrote to memory of 1764 3376 2kaq.exe 97 PID 3376 wrote to memory of 1764 3376 2kaq.exe 97 PID 3376 wrote to memory of 1764 3376 2kaq.exe 97 PID 3376 wrote to memory of 1764 3376 2kaq.exe 97 PID 3376 wrote to memory of 1764 3376 2kaq.exe 97 PID 3376 wrote to memory of 1764 3376 2kaq.exe 97 PID 3376 wrote to memory of 3096 3376 2kaq.exe 98 PID 3376 wrote to memory of 3096 3376 2kaq.exe 98 PID 3376 wrote to memory of 3096 3376 2kaq.exe 98 PID 3376 wrote to memory of 3096 3376 2kaq.exe 98 PID 3376 wrote to memory of 3096 3376 2kaq.exe 98 PID 3376 wrote to memory of 3096 3376 2kaq.exe 98 PID 3376 wrote to memory of 3096 3376 2kaq.exe 98 PID 3376 wrote to memory of 3096 3376 2kaq.exe 98 PID 3376 wrote to memory of 1728 3376 2kaq.exe 100 PID 3376 wrote to memory of 1728 3376 2kaq.exe 100 PID 3376 wrote to memory of 1728 3376 2kaq.exe 100 PID 3376 wrote to memory of 1728 3376 2kaq.exe 100 PID 3376 wrote to memory of 1728 3376 2kaq.exe 100 PID 3376 wrote to memory of 1728 3376 2kaq.exe 100 PID 3376 wrote to memory of 1728 3376 2kaq.exe 100 PID 1044 wrote to memory of 3824 1044 cmd.exe 99 PID 1044 wrote to memory of 3824 1044 cmd.exe 99 PID 1044 wrote to memory of 3824 1044 cmd.exe 99 PID 3376 wrote to memory of 1728 3376 2kaq.exe 100 PID 3376 wrote to memory of 1900 3376 2kaq.exe 101 PID 3376 wrote to memory of 1900 3376 2kaq.exe 101 PID 3376 wrote to memory of 1900 3376 2kaq.exe 101 PID 3376 wrote to memory of 1900 3376 2kaq.exe 101 PID 3416 wrote to memory of 1280 3416 a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe 105 PID 3416 wrote to memory of 1280 3416 a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe 105 PID 3416 wrote to memory of 1280 3416 a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe 105 PID 1280 wrote to memory of 316 1280 3kaq.exe 106 PID 1280 wrote to memory of 316 1280 3kaq.exe 106 PID 316 wrote to memory of 3492 316 X 56 PID 3416 wrote to memory of 4840 3416 a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe 108 PID 3416 wrote to memory of 4840 3416 a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe 108 PID 3416 wrote to memory of 4840 3416 a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe 108 PID 4840 wrote to memory of 1240 4840 4kaq.exe 111 PID 4840 wrote to memory of 1240 4840 4kaq.exe 111 PID 4840 wrote to memory of 1240 4840 4kaq.exe 111 PID 3416 wrote to memory of 1000 3416 a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe 112
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Users\Admin\GFW6ssUz.exeC:\Users\Admin\GFW6ssUz.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\xiliv.exe"C:\Users\Admin\xiliv.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3744
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del GFW6ssUz.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3824
-
-
-
-
C:\Users\Admin\2kaq.exeC:\Users\Admin\2kaq.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Users\Admin\2kaq.exe"C:\Users\Admin\2kaq.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4108
-
-
C:\Users\Admin\2kaq.exe"C:\Users\Admin\2kaq.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1764
-
-
C:\Users\Admin\2kaq.exe"C:\Users\Admin\2kaq.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:3096
-
-
C:\Users\Admin\2kaq.exe"C:\Users\Admin\2kaq.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1728
-
-
C:\Users\Admin\2kaq.exe"C:\Users\Admin\2kaq.exe"4⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 805⤵
- Program crash
PID:3212
-
-
-
-
C:\Users\Admin\3kaq.exeC:\Users\Admin\3kaq.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\fab7201a\X*0*bc*c2115642*31.193.3.240:534⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:316
-
-
-
C:\Users\Admin\4kaq.exeC:\Users\Admin\4kaq.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\Admin\AppData\Roaming\x3wvvuugpgaveju1d1adbxjiyhx22kgy2\svcnost.exe"C:\Users\Admin\AppData\Roaming\x3wvvuugpgaveju1d1adbxjiyhx22kgy2\svcnost.exe"4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1240
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe3⤵
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1900 -ip 19001⤵PID:2244
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD5d7dbb57f65cb963477a8fa11714ec0be
SHA1756d29032644973b9f48980a1e30448206811119
SHA25694242fda567e2b4dc0be9d4ca5370ff0ddee2d25751dd191c3fed995837c10ec
SHA5121db3577abd73c8c8667da426faedf63ad9c7a75462cbeac0be19a525690baaa9f1d8446d3b804abbf24550d73cbefecf6c77c224539e8dd5db37f34f7e975fdc
-
Filesize
277KB
MD500b72668c42555c6d9e3cee383730fc0
SHA1509a7c39baf2b9a46813c641cca687b37e244d5a
SHA256baaacce5c3f18154d4925ec6568ccf66f4ab9ee5477bd0faf44f08d9397641dd
SHA5121bfa5cd6081a5e8556b452cf4741831da829fcc9e2b51c77c92a4fdacfa1b934d14bc049f8185be09b1447664f55956f69e7fd16a868c9655eb32f9b9ef02e78
-
Filesize
120KB
MD5ee3508d5206de400e5792c826ae71aae
SHA1b448132f604b7e886343b911cc56371a7f251c04
SHA256f6226f935ea3d5ecc4be3ccf6a59caff31ed3e6bd35c5d26fbe3906b4379b35d
SHA512233f72bf8cf5d72b7f7c09bf546220fa0c34511330349fa28ef4c746b19f59696b5e515a7d345862430979800be354ab954aa55f79747a83d601abdf32bd24fb
-
Filesize
38KB
MD572de2dadaf875e2fd7614e100419033c
SHA15f17c5330e91a42daa9ff24c4aa602bd1a72bf6e
SHA256c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381
SHA512e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3
-
Filesize
9KB
MD54a27242b307c6a836993353035fafc16
SHA15fea7a41b8f9071848108015d8a952e6f944eea0
SHA25602fd93f64bda51e1e2991184cac13f077d509712e462c9e44be9cf8e22c06de1
SHA51235e9c87642b82df2bf0a9312bb0e9abfb98282db1e34032a4d0150d82c5e2f2e13150ddc896f1e954f02288a1e696a4306ee595b94b1e404c6ec17bac64c44be
-
Filesize
54KB
MD57e8e966927e04a35aec644602b8a9e05
SHA1d201b0b41e8701818d60ddbf9f334332a512c4da
SHA25646f18d9fbf63f378d86962cbf24f5ce57ce257555acd4effdcc41c1e2f1adf5c
SHA512246777c79129a5076b71ca5d3f7e59b06d344f6b5e771892ae8ee68c0b5af9207cd1868b1336b49e6a84665309ad379a33ec6c8e72d7ce41de72153637921a51
-
Filesize
312KB
MD5d0250c92bd9e6c62c0c8227ea7bc0df4
SHA19a9fd691422b105c5e008764b980d1568c2df957
SHA256ee113e2ee5cd0d396af0e79c2390d059355d24e426886bbacda44d7f39a28007
SHA51299ab659dd56fabf0bd488f754cc7d1b166e1727b5a742d4262062946b5aa79577499fff55e434b6dbe05efa11e9ce2ce58cf68f30e29d9b5580e20de4e974200
-
Filesize
312KB
MD5d40409eb3053209f0faf3a26265574ae
SHA1a3f19235a2859e5d0810c68af897a861acf3f2d0
SHA256a43878b7b764008a9990ac215da3ff368797ff0c4296c8c179d66d01f3006023
SHA512ec2a49c448c31843d12e4c69aed976bbbf76aeee130c55c5d9170f39f0c521d824c78973e033df2eeb5b9ad6ae8613bcc63ff0cdac175697b416ee2c0e3f62c3