Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 14:00
Static task
static1
Behavioral task
behavioral1
Sample
af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe
-
Size
556KB
-
MD5
af804b4395b81caec9fbc54b945c5f2f
-
SHA1
b4a3fed5277a21d96b37a09109519fe573d7084a
-
SHA256
f2885293397e2fa2fb685a94c0619644015aa98860478efdd8db2b5821ba891d
-
SHA512
19aea01695afe75568a93bd373179065f868aa9b8c054cf58cf35a4843504efc87d5fc58ad530607430f62f32bd59b9725d89952aac6991b69a1b62533aa7d8f
-
SSDEEP
6144:9++yM3HiP/qp9LGM+yM3HCP/54pcNJcF4Y+Ox3ZP9nC+mCEjknHKuEb4naZDRS:9+niHV3VniH24+Y4Y39zntHKuEwiS
Malware Config
Extracted
cybergate
2.6
Mamacitas
spy2281.no-ip.org:777
MICROSOF
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
svchost.exe
-
install_dir
System32
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Try again
-
message_box_title
Application error
-
password
cache
-
regkey_hkcu
USER\windows
-
regkey_hklm
MACHINE
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\System32\\svchost.exe" af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\System32\\svchost.exe" af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ULRWT220-U16X-4Q25-45AD-N18X88L4K71Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\System32\\svchost.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{ULRWT220-U16X-4Q25-45AD-N18X88L4K71Q} af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ULRWT220-U16X-4Q25-45AD-N18X88L4K71Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\System32\\svchost.exe Restart" af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{ULRWT220-U16X-4Q25-45AD-N18X88L4K71Q} explorer.exe -
Executes dropped EXE 2 IoCs
pid Process 1988 svchost.exe 2816 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2752-3-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2752-5-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2752-7-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2752-8-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2752-9-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2752-12-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral1/memory/2752-309-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2676-537-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/2752-871-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2816-3499-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2676-3734-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/2816-3742-0x0000000000400000-0x0000000000458000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MACHINE = "C:\\Users\\Admin\\AppData\\Roaming\\System32\\svchost.exe" af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\USER\windows = "C:\\Users\\Admin\\AppData\\Roaming\\System32\\svchost.exe" af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\svchost.exe af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe File created C:\Windows\SysWOW64\svchost.exe af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2876 set thread context of 2752 2876 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 30 PID 1988 set thread context of 2816 1988 svchost.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe Token: SeDebugPrivilege 1944 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2876 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 1988 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2752 2876 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 30 PID 2876 wrote to memory of 2752 2876 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 30 PID 2876 wrote to memory of 2752 2876 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 30 PID 2876 wrote to memory of 2752 2876 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 30 PID 2876 wrote to memory of 2752 2876 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 30 PID 2876 wrote to memory of 2752 2876 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 30 PID 2876 wrote to memory of 2752 2876 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 30 PID 2876 wrote to memory of 2752 2876 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 30 PID 2876 wrote to memory of 2752 2876 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 30 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21 PID 2752 wrote to memory of 1208 2752 af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe 21
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:592
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1620
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:344
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}4⤵PID:1032
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}4⤵PID:7840
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}4⤵PID:8636
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:672
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:740
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:812
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1168
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:840
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2688
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:964
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:108
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:296
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1072
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1092
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1432
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2364
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:1476
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe"3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\af804b4395b81caec9fbc54b945c5f2f_JaffaCakes118.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1944 -
C:\Users\Admin\AppData\Roaming\System32\svchost.exe"C:\Users\Admin\AppData\Roaming\System32\svchost.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1988 -
C:\Users\Admin\AppData\Roaming\System32\svchost.exe"C:\Users\Admin\AppData\Roaming\System32\svchost.exe"6⤵
- Executes dropped EXE
PID:2816
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD59eaf9c54897df5a0ef8fde576b608e6a
SHA1f82ef4eb6826f906b9b9bd3acd34391d2e059c39
SHA25621bb97a5d2439fea315b61a9591da3478f8d035193cbdbc8d73996b5942201ac
SHA512f275839e40c0f905f56f94513beeb12a3601c5da0694d2f96a2ee9b7ec73e208615ff0602ae1fd1167bcc6d27e04318091979a0672e252cbe96d914f61b8a733
-
Filesize
8B
MD56cac44900e872c60d803b6ee6bfb297e
SHA1a254f465d2f83a48775713abf9bb00320b00a79e
SHA256417d6b7baf28abc4175158bfb1cce5ea8f42274a0a0548ef64d4b3c1ce875792
SHA51278352c98fdf1d80c10daa5c6331f046e8b0348451578d1a8e5c2bf82380f0f2c1a7dec65760dc18576e3f47af505d249b458a2eefffbb0e48488643aee29e8bd
-
Filesize
8B
MD5cebdbf447096913dcae1de4a1e6608be
SHA14add59d07bd57d8dbe72e31b01f07747774638de
SHA256d9267e1b18fbc25aef761ff04ed842cc6877fc8d46884595afb3101790f7ab8a
SHA51214a7a5dc3129cd7801865fe71e0e83cbb7259cd793b2f48017687a44216abf39e0bc129bfa9eb1881fd0c5995c797957720cdf287a88339067537aa2f465e565
-
Filesize
8B
MD55712a367a587f81093a0c7357ebbba25
SHA11fce2025508f5eefd1119e1b49391c19120b5044
SHA2566082fd06b4eb299da47896b17f37cb8b256ea3133dbd7e2a8058a25000498567
SHA512546374a0df4ce257a8241eb1032cf2f4f54da28b4fb44d46b1a50dde4a8fca39d94b3115cd5a20f96c311729770f3a4ff352a68811a04e61db4d934a89dde578
-
Filesize
8B
MD53068a48dfdf5907532a2275939cb0a47
SHA1db72df322ce51db7618d7746189bcf67ea9eb2cc
SHA256a669243e39dbdd443826e141682cc4423ec50f2ae1ca2d2701030f6e0fd9bb41
SHA512be61970a4a580ed93c5760e98628b950e8bbd4fa4d57da336d6d49bfe5d5b568b7b9f556f8c7beec41121f61f52d6ca4dd31e3888f500f40829cf6e38d06fd00
-
Filesize
8B
MD516f6228c8f44f83ecdeb3ec5ae043b2b
SHA1c1741a3daf7114faffe8c60d458a1b5f044196b9
SHA256d17d9465b3e8f4bd80d60a3b832868a7b1e7d3d4f7fdc87d0cce5912b8969634
SHA512e9ce3d98fad5949af52f7517dbe02a9404058b4d133b46073f1902d6f54e4a224025fb2da2fe60dc6af8c97fc1b5129213ac3bebfa8378dae141695b9309da1b
-
Filesize
8B
MD5de31501e36adc8c12911b3b2424d0b56
SHA1eed69b1315ffbafa653980a4712a9a341d2f8c53
SHA2569fa5488bd941bfbdacfa6414e8326d8478981b15e99e438eb77708ad055ed483
SHA5120b6b6b33805c3dc5813f1a50f1d3030e0857a8a926ba8e565cb3d57383cf8ef8c4fbc4baad74a1a8e50c1ebfc566392d3a89474d0d7387238181f4ff91b5f3b3
-
Filesize
8B
MD51becab8657c003615fc66a8187114d67
SHA16f42622828ff841dd7fa0b331283400a372df422
SHA256971f5d2a1c19418618e85bd192bfe01cb064304a30d64d2425c05357d9fb4685
SHA512522e4fdfd4a55144588855f582ee78842fb34e01f1afafdc407bd92bee92ca3eec1fed53956e2c357e92a35ea11b063bc16fc91921f5c3b5fb24beb0bfa4225e
-
Filesize
8B
MD5ac410315a04930bc20b3b0a841567660
SHA1bffdba62dd03e754a7ba872f17c470a931bbb486
SHA256ad27b07c10b03c82411fa386ed819396f2f7fde1a56994ae59e6b429ee4f2fa4
SHA512a7fb36cfd3bb3f090f26dc567ec4c82ba0be570028c7a41e4ecab952f31810f25d771f99eb264571d3f731e8f5a092998e44bf64f1d5baaeb7a5bfac44c331fd
-
Filesize
8B
MD5261c39d517c93d0f5bc27e6ddde5c3ee
SHA192ab6a50edd9521255550ce6db75417d890e6d42
SHA256b41673e3fd0770f2baf254b25df60e2524eacf150f979556d1527b3efaf47036
SHA512691d7aec679c16b7ac75a686f470771bee2fbfd712680a42b1733ca1a73cfa0923dc8f77dce1d9a53890483278f19a954f21112ab10bb54afdb1cb7545b0e3d2
-
Filesize
8B
MD5a4fadd66616520dc7f06a7602808da42
SHA1888144e1f9bdf284f9d3bf75e581cfa516976eb5
SHA256ac30028dd2c55213e9f0362b3e9c3968c1c3a320638745af046d0201e3b633ae
SHA512a51026ad5470a4854290937f0bef1693a2c07a917e5547b9b1d46957a2c3e259172556885bf8b85c2c2aaf6fed265f9d5ef3b1a18035c51d327b0a93136d77b3
-
Filesize
8B
MD55be815a58fad767f50eaaa58e8c48cc9
SHA10ac60e81d0d930eceb106d3e7e9859678aa476ff
SHA256e4a0428d62a36b5d4d8b8394f39acd946a79005cf4e83eabc63f55148196e109
SHA5123d96b42eca748ba1c09b50a8edb1d2e7e92efe81586bdcc5d2f7e8ae40c1876aa0f213acac05e69ed4f0552dac38df7f3c828f5b7e3aee19e2f819a4280158a4
-
Filesize
8B
MD5e1f97d19f8e76122a7d0bea98d1742b3
SHA13e32ca30c887f5249724459c63873fbfe9a27f18
SHA25687369ffec55988419b9cd97d972ec07338da7d46e97698eb75a310093a7b5121
SHA512a900e74edeeeb7cd4bc56cfbcc6bff5317f3ae101f2aa5914fcf60fa297d4bf026f4c51461c2a277e7a1f983fde0eb71a2aabfcca02daf3d4b56eb8ad1e54486
-
Filesize
8B
MD55c33ce1daf8949bb613428782e3a5abc
SHA18f41820d57fbcb974302ed12166397b2c431a83a
SHA2563895847ea4e033b26a77f638a2fc9a64729fbd1e2cd5f08ef01cca3e6c3308cd
SHA512638ef280c7fc4c5b6acc6ed0442ab698bd01b2630b76af95592950c554033187fa09cff3c49e37411d6febe3f1d4720bb431340fe734794f694213877d5e92c4
-
Filesize
8B
MD5d960b71f171c4f144ebaa72568b033b1
SHA1f9f25d2b1fdb39ed52ac17c2e182f88df328b8f1
SHA2562e9dc68a7495790365fd9ebc61d4cd631613e62afc7c2a38ab020c93e8b76b17
SHA512641e8b1e919ba1be917592c9b098a113ca0e294733bc132106066dca06459490b8084612aa1f8611715bfc6abe4a2e29ba136daebee9d9a1ef187cdccb7fd953
-
Filesize
8B
MD55f9fffc5bdae5a6acb747fab62b9f2a6
SHA1e77c69102e4f2785bd676c4fbbaba9d949df2439
SHA256cab28892e31de35c7e70d89b604850f9d83eaa89ad8c46461cba58eeb743fee0
SHA512424d2180bb92315bede305a32d14831a8f9670a47ca04558917cf5cab7fb3ae284a549633b5e2686043ad38dd49029295caaa217d8fc1715d50d02cdcd1d5600
-
Filesize
8B
MD575bb059d87af0edf761358f8e119b470
SHA193fbc08b08ec258153f046f4f87dfc618f248bc3
SHA256cc1cd819a7e38516914ed2ed7f324c14ebb12e6c8adee86d9c8e35e1cdb4ae00
SHA512803353efd57098358cd7ace5f9b9134831781250555f0e8b9ca75a4db8221a7f19d397344a675c3157814c6489cc01e45500ff17210c18831145c87e74313721
-
Filesize
8B
MD5c7009d51f538014f97e1011c148ea5aa
SHA1c07d93b3b27b201c18b84e36e64da85960acdfc2
SHA256639e09ff19ce0c0fcc5ab49d6bff5362a170aa4097cd338a5962596ce514e88b
SHA51223f6faac1b371b8815571407df0069eec86a3fb2791c8716fc0d25d6dcd5ac7e9119fb7a5f910e71546101f9e9ce436638948190203b0bbd574119a641750fa3
-
Filesize
8B
MD5053cc589dff62ea5a8b47891e967823c
SHA1690b2e2e7b402e276fb7f325410320a8c5963816
SHA2565c01168420d5329a0c3d2add08fb0a1d665c2d59f29ebeb781a5c470c11d5398
SHA512260883258347df5af35c8eb20bb808bf609b223ef51dc8d36942ac0b50266a5b91a254f721faeedba4020629917d0320a1c72a80e1a3e12c29f23035576f87e4
-
Filesize
556KB
MD5af804b4395b81caec9fbc54b945c5f2f
SHA1b4a3fed5277a21d96b37a09109519fe573d7084a
SHA256f2885293397e2fa2fb685a94c0619644015aa98860478efdd8db2b5821ba891d
SHA51219aea01695afe75568a93bd373179065f868aa9b8c054cf58cf35a4843504efc87d5fc58ad530607430f62f32bd59b9725d89952aac6991b69a1b62533aa7d8f
-
Filesize
15B
MD5e21bd9604efe8ee9b59dc7605b927a2a
SHA13240ecc5ee459214344a1baac5c2a74046491104
SHA25651a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA51242052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493