Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 01:39
Static task
static1
Behavioral task
behavioral1
Sample
ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
ad68925c8de4f346723ddc172b416e4d
-
SHA1
80553a650296fe664ea25ca567ae85353517f1a2
-
SHA256
218f6f03046a19ccbdc91f45959eb43def38bf11fe296c5ca57192ab5454d5b9
-
SHA512
a464c8026407c0d1d8912e14022109d1a72d445f4d1cc9ab0878f19d21f332baa8a2e500a81790f08862b9e1bd5f7984a0387ea1a6bdc0200ae182c65156d2c4
-
SSDEEP
24576:dy/PLameAu9Spf5Gb7PLg79JLR8rdegEjrObHXa1Kkdi6CZQroBUc:d+LarAu9qRGbo9H8rGUHXs/fCoW
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 2132 netsh.exe 2736 netsh.exe 2676 netsh.exe -
Executes dropped EXE 4 IoCs
pid Process 3028 EhStorShell32.exe 2684 chtbrkr32.exe 2060 EhStorShell32.exe 1712 lsass.exe -
Loads dropped DLL 10 IoCs
pid Process 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 2684 chtbrkr32.exe 2684 chtbrkr32.exe 2684 chtbrkr32.exe 2060 EhStorShell32.exe 3028 EhStorShell32.exe 3028 EhStorShell32.exe 1712 lsass.exe -
resource yara_rule behavioral1/memory/2468-6-0x0000000010000000-0x0000000010088000-memory.dmp upx behavioral1/memory/2468-9-0x0000000010000000-0x0000000010088000-memory.dmp upx behavioral1/memory/2468-86-0x0000000010000000-0x0000000010088000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RTHDBPL = "C:\\Users\\Admin\\AppData\\Roaming\\SysWin\\lsass.exe" EhStorShell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RTHDBPL = "C:\\Users\\Admin\\AppData\\Roaming\\SysWin\\lsass.exe" lsass.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0D90B357-76A9-4712-8296-6B0E76DC7E98} ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\72d486621324C.manifest chtbrkr32.exe File opened for modification C:\Windows\SysWOW64\72d486621324O.manifest chtbrkr32.exe File opened for modification C:\Windows\SysWOW64\72d486621324S.manifest chtbrkr32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat chtbrkr32.exe File created C:\Windows\SysWOW64\EhStorShell32.exe ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe File created C:\Windows\SysWOW64\chtbrkr32.exe ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\142250261 chtbrkr32.exe File opened for modification C:\Windows\SysWOW64\72d486621324P.manifest chtbrkr32.exe File created C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\142250261 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\chtbrkr32.exe ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3000 2468 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chtbrkr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EhStorShell32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EhStorShell32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 57b3900da976124782966b0e76dc7e98 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe -
Modifies data under HKEY_USERS 47 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" chtbrkr32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3798A8AE-FB76-474B-AE20-C92EF03B2E06}\WpadDecisionTime = b09786dea1f2da01 chtbrkr32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3798A8AE-FB76-474B-AE20-C92EF03B2E06}\WpadNetworkName = "Network 3" chtbrkr32.exe Key created \REGISTRY\USER\.DEFAULT ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings chtbrkr32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" chtbrkr32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" chtbrkr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3798A8AE-FB76-474B-AE20-C92EF03B2E06}\52-48-2f-57-c8-e9 chtbrkr32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-48-2f-57-c8-e9\WpadDecisionReason = "1" chtbrkr32.exe Key created \REGISTRY\USER\S-1-5-20\Software ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-20\Software\Rgkihjjewq ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 57b3900da976124782966b0e76dc7e98 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections chtbrkr32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ chtbrkr32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" chtbrkr32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-48-2f-57-c8-e9\WpadDecisionTime = b09786dea1f2da01 chtbrkr32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0097000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 chtbrkr32.exe Key created \REGISTRY\USER\.DEFAULT\Software ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-19\Software ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\72d48662 = " " chtbrkr32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3798A8AE-FB76-474B-AE20-C92EF03B2E06}\WpadDecisionTime = 70bd622ba2f2da01 chtbrkr32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-48-2f-57-c8-e9\WpadDetectedUrl chtbrkr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings chtbrkr32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix chtbrkr32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3798A8AE-FB76-474B-AE20-C92EF03B2E06}\WpadDecision = "0" chtbrkr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-48-2f-57-c8-e9 chtbrkr32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-48-2f-57-c8-e9\WpadDecisionTime = 70bd622ba2f2da01 chtbrkr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Rgkihjjewq\CLSID ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-19\Software\Rgkihjjewq ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-20 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad chtbrkr32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-48-2f-57-c8-e9\WpadDecision = "0" chtbrkr32.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Rgkihjjewq\CLSID\ = "{7bb748c5-fea2-46ca-930e-475059598fae}" ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 57b3900da976124782966b0e76dc7e98 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 chtbrkr32.exe Key created \REGISTRY\USER\S-1-5-19 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Rgkihjjewq\CLSID\ = "{7bb748c5-fea2-46ca-930e-475059598fae}" ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" chtbrkr32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3798A8AE-FB76-474B-AE20-C92EF03B2E06}\WpadDecisionReason = "1" chtbrkr32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Rgkihjjewq\CLSID ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Rgkihjjewq ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Rgkihjjewq\CLSID\ = "{7bb748c5-fea2-46ca-930e-475059598fae}" ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0097000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 chtbrkr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3798A8AE-FB76-474B-AE20-C92EF03B2E06} chtbrkr32.exe Key created \REGISTRY\USER\S-1-5-19\Software\Rgkihjjewq\CLSID ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-20\Software\Rgkihjjewq\CLSID ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 chtbrkr32.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7bb748c5-fea2-46ca-930e-475059598fae} ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Software ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Rgkihjjewq\CLSID ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler\ = "{1a8e967a-9f11-4194-bbcc-58df4af9fdc4}" ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D90B357-76A9-4712-8296-6B0E76DC7E98}\InprocServer32 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D90B357-76A9-4712-8296-6B0E76DC7E98}\InprocServer32\ThreadingModel = "Both" ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Rgkihjjewq\CLSID\ = "{7bb748c5-fea2-46ca-930e-475059598fae}" ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Software\Rgkihjjewq ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Software\Rgkihjjewq\CLSID ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Software\Rgkihjjewq\CLSID\ = "{7bb748c5-fea2-46ca-930e-475059598fae}" ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Rgkihjjewq ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Software\Rgkihjjewq\CLSID ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D90B357-76A9-4712-8296-6B0E76DC7E98} ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D90B357-76A9-4712-8296-6B0E76DC7E98}\InprocServer32\ = "C:\\Windows\\SysWow64\\api-ms-win-core-localization-l1-2-032.dll" ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2468 wrote to memory of 3028 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 31 PID 2468 wrote to memory of 3028 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 31 PID 2468 wrote to memory of 3028 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 31 PID 2468 wrote to memory of 3028 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 31 PID 2468 wrote to memory of 2132 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 32 PID 2468 wrote to memory of 2132 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 32 PID 2468 wrote to memory of 2132 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 32 PID 2468 wrote to memory of 2132 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 32 PID 2468 wrote to memory of 2736 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 34 PID 2468 wrote to memory of 2736 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 34 PID 2468 wrote to memory of 2736 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 34 PID 2468 wrote to memory of 2736 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 34 PID 2468 wrote to memory of 2676 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 36 PID 2468 wrote to memory of 2676 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 36 PID 2468 wrote to memory of 2676 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 36 PID 2468 wrote to memory of 2676 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 36 PID 2468 wrote to memory of 3000 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 39 PID 2468 wrote to memory of 3000 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 39 PID 2468 wrote to memory of 3000 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 39 PID 2468 wrote to memory of 3000 2468 ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe 39 PID 2684 wrote to memory of 2060 2684 chtbrkr32.exe 40 PID 2684 wrote to memory of 2060 2684 chtbrkr32.exe 40 PID 2684 wrote to memory of 2060 2684 chtbrkr32.exe 40 PID 2684 wrote to memory of 2060 2684 chtbrkr32.exe 40 PID 3028 wrote to memory of 1712 3028 EhStorShell32.exe 41 PID 3028 wrote to memory of 1712 3028 EhStorShell32.exe 41 PID 3028 wrote to memory of 1712 3028 EhStorShell32.exe 41 PID 3028 wrote to memory of 1712 3028 EhStorShell32.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\EhStorShell32.exe"C:\Windows\system32\EhStorShell32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe"C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1712
-
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\chtbrkr32.exe" enable=yes profile=domain2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2132
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\chtbrkr32.exe" enable=yes profile=private2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2736
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\chtbrkr32.exe" enable=yes profile=public2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 4202⤵
- Program crash
PID:3000
-
-
C:\Windows\SysWOW64\chtbrkr32.exeC:\Windows\SysWOW64\chtbrkr32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\ProgramData\EhStorShell32.exeschutz2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2060
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2AppInit DLLs
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2AppInit DLLs
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30B
MD5c2389ed519f1079d9b472acd9b8d2b5d
SHA1e678f8dd6c817841178a44be438c0d60ea93edf0
SHA2561c0e6439f8fd7634fc0e0eec37b471945f97b736054d117902589723dcc621a9
SHA5122c26cf40619593fe4d365f14a3e56ffbb3c889d1f9fd7e925e63a84ca31c4f0101b76515becbc831eee20c02ed413b2f921729bef8ebbffbd73d2cf3a67ea786
-
Filesize
118B
MD595e03b888e2a8e4bd54813052d14add6
SHA125a1f3c013df44792dc18ee6762155c5b9f5a1cb
SHA256db20a5eb7f17ea7917fdd49ac8c5a257a0403441ef3a632e1f2a1ed991421630
SHA512c2873a365e00f9eed6d849729f4f1cdd8a73dc19ed1e53202faf3e4e763f9366d6632601cc2edde68fabe825e594797fe4ed3a75839fa285a957ad2c9ecd25c5
-
Filesize
1.3MB
MD5ad68925c8de4f346723ddc172b416e4d
SHA180553a650296fe664ea25ca567ae85353517f1a2
SHA256218f6f03046a19ccbdc91f45959eb43def38bf11fe296c5ca57192ab5454d5b9
SHA512a464c8026407c0d1d8912e14022109d1a72d445f4d1cc9ab0878f19d21f332baa8a2e500a81790f08862b9e1bd5f7984a0387ea1a6bdc0200ae182c65156d2c4
-
Filesize
237KB
MD589bb9ca773905940857029d2ebbaf05c
SHA17e54d91335ccfc6a71133b009ff967b260e27a07
SHA25649ef211378801ab5697f63be3724f7be9b1059ca9ac3fd2ac70f803240c81dc6
SHA512939c11450a3c2277be8ce1ce8ece1963ce8585d8ac2f94bb568b96c9ef769e11944e7e9a8d4f829b59262f519357eda142a4bdcb0ca454fd60f6df153c360737
-
Filesize
201KB
MD52f7a846ff1e1107d0e4294aa1d258422
SHA1c3e23bb7cacae31ac6dd462345a40dca2489f512
SHA256d4dd7b5a74766aae1b4821dcd2afddaabb3e25ba109d3ba74ac3989458928d37
SHA512f8e31fa3f8327dcb2453531bd4a8e3940418944881088fcce240d8a8e8bbeb593b6ebe6dc69057dc3b95f5bda8cfdc2ea2d0e6869f6e0d646010393033da48c9
-
Filesize
404KB
MD5259772a6ea6441040e71b60077021e0f
SHA116221b086215c9bbbfddaeafa4cfb0c5a520cdc5
SHA256dc47c9ab64dab7f3cf2c46bb63cc36c3e508a770d303d07a40cacb06dc9183a4
SHA51289f3d69525a57e4f6571fe9e5064b1426a7f40087b14bc36213b93c9aea02de40d4ce2323c82ca929bf8aebc0249e5072eae36411ee4a95eab4a51fd1214651e