Analysis
-
max time kernel
150s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21-08-2024 05:37
Behavioral task
behavioral1
Sample
b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe
-
Size
88KB
-
MD5
b2483ad0a449f083de08dfc3f6ea52d5
-
SHA1
b2564a83daff947b6cd8bd991c3c97da2b486cc5
-
SHA256
2fae63b5ac9132e0cbe6ed4804af043bf257ed480e432ff6c4278044a3dbe832
-
SHA512
c20e9df0cb777326e0b4f1864562e324f9d888977331197479bc3b50b27643b55796f621168c5f84fdfa22f4de6a555f9e2500e7252945e797b4b9c0769daaf6
-
SSDEEP
1536:n3eNvWRUCl7c2+ca+Kt7Jg129ApRBgaYtRHcVUHTn3UgXxuheC3+9nnlhBg:3qWRdpc2+Ya7K0SpRBgaYtRHcVUHD3U/
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\windows\\Sysa.exe" winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\windows\\Sysa.exe" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\windows\\Sysa.exe" sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\windows\\Sysa.exe" sysa.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winsystem.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" sysa.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" sysb.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" sysa.exe -
Blocks application from running via registry modification 4 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" winsystem.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" sysa.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" sysb.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" sysa.exe -
Executes dropped EXE 4 IoCs
pid Process 3020 winsystem.exe 2260 sysa.exe 2432 sysb.exe 988 sysa.exe -
resource yara_rule behavioral1/memory/1496-0-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/files/0x00060000000186be-8.dat upx behavioral1/memory/3020-43-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1496-89-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2260-170-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2432-244-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2260-287-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/3020-290-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/files/0x000800000001752b-295.dat upx behavioral1/memory/2432-348-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/3020-351-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/988-365-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/3020-442-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/3020-522-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/988-538-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/3020-553-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2432-558-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/3020-576-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/3020-667-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/3020-718-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/3020-749-0x0000000000400000-0x0000000000457000-memory.dmp upx -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explores = "C:\\BootEx.exe" winsystem.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" winsystem.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explores = "C:\\BootEx.exe" sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explores = "C:\\BootEx.exe" sysa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explores = "C:\\BootEx.exe" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" sysb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" sysb.exe -
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: sysa.exe File opened (read-only) \??\Y: sysa.exe File opened (read-only) \??\Z: sysa.exe File opened (read-only) \??\G: winsystem.exe File opened (read-only) \??\H: winsystem.exe File opened (read-only) \??\K: winsystem.exe File opened (read-only) \??\G: sysa.exe File opened (read-only) \??\X: sysa.exe File opened (read-only) \??\I: winsystem.exe File opened (read-only) \??\Y: winsystem.exe File opened (read-only) \??\E: sysa.exe File opened (read-only) \??\K: sysa.exe File opened (read-only) \??\E: winsystem.exe File opened (read-only) \??\X: winsystem.exe File opened (read-only) \??\H: sysa.exe File opened (read-only) \??\J: winsystem.exe File opened (read-only) \??\Z: winsystem.exe File opened (read-only) \??\I: sysa.exe -
Drops file in System32 directory 16 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\oeminfo.ini b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\oemlogo.bmp winsystem.exe File opened for modification \??\c:\windows\SysWOW64\WindowsProtection.exe sysa.exe File created \??\c:\windows\SysWOW64\WindowsProtection.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\oemlogo.bmp b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\oeminfo.ini winsystem.exe File opened for modification \??\c:\windows\SysWOW64\oemlogo.bmp sysa.exe File opened for modification \??\c:\windows\SysWOW64\WindowsProtection.exe sysa.exe File opened for modification \??\c:\windows\SysWOW64\WindowsProtection.exe winsystem.exe File opened for modification \??\c:\windows\SysWOW64\oeminfo.ini sysa.exe File opened for modification \??\c:\windows\SysWOW64\WindowsProtection.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\WindowsProtection.exe sysb.exe File opened for modification \??\c:\windows\SysWOW64\oeminfo.ini sysb.exe File opened for modification \??\c:\windows\SysWOW64\oemlogo.bmp sysb.exe File opened for modification \??\c:\windows\SysWOW64\oeminfo.ini sysa.exe File opened for modification \??\c:\windows\SysWOW64\oemlogo.bmp sysa.exe -
Drops file in Windows directory 63 IoCs
description ioc Process File opened for modification \??\c:\windows\SystemMonitor64.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File opened for modification \??\c:\windows\SystemMonitor64.exe sysa.exe File opened for modification \??\c:\windows\system\oeminfo.ini sysb.exe File created \??\c:\windows\Win System.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File created \??\c:\windows\MonitorSetup.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File created \??\c:\windows\system\oeminfo.ini b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File created \??\c:\windows\system\oemlogo.bmp b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File opened for modification \??\c:\windows\MonitorMission.run winsystem.exe File opened for modification \??\c:\windows\windows.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File created \??\c:\windows\MonitorMission.run b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File created \??\c:\windows\sysa.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File opened for modification \??\c:\windows\windows.exe winsystem.exe File created \??\c:\windows\WinSystem.exe sysa.exe File created \??\c:\windows\SystemMonitor64.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File opened for modification \??\c:\windows\MonitorMission.run sysa.exe File opened for modification \??\c:\windows\windows.exe sysa.exe File created \??\c:\windows\WinSys32.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File opened for modification \??\c:\windows\windows.exe sysa.exe File opened for modification \??\c:\windows\WinSys32.exe sysa.exe File opened for modification \??\c:\windows\WinSys32.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File created \??\c:\windows\runrunrun.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File opened for modification \??\c:\windows\runrunrun.exe winsystem.exe File opened for modification \??\c:\windows\Win System.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File opened for modification \??\c:\windows\MonitorSetup.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File opened for modification \??\c:\windows\Win System.exe winsystem.exe File opened for modification \??\c:\windows\system\oeminfo.ini winsystem.exe File opened for modification \??\c:\windows\system\oemlogo.bmp sysa.exe File opened for modification \??\c:\windows\runrunrun.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File opened for modification \??\c:\windows\winsystem.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File opened for modification \??\c:\windows\SystemMonitor64.exe winsystem.exe File opened for modification \??\c:\windows\MonitorSetup.exe sysa.exe File opened for modification \??\c:\windows\system\oeminfo.ini sysa.exe File opened for modification \??\c:\windows\Win System.exe sysb.exe File opened for modification \??\c:\windows\windows.exe sysb.exe File opened for modification \??\c:\windows\system\oemlogo.bmp sysa.exe File opened for modification \??\c:\windows\WinSystem.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File created \??\c:\windows\WinSystem.exe winsystem.exe File opened for modification \??\c:\windows\MonitorMission.run sysb.exe File opened for modification \??\c:\windows\MonitorMission.run b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File opened for modification \??\c:\windows\MonitorSetup.exe winsystem.exe File opened for modification \??\c:\windows\system\oemlogo.bmp winsystem.exe File created \??\c:\windows\WinSystem.exe sysa.exe File opened for modification \??\c:\windows\WinSys32.exe sysb.exe File opened for modification \??\c:\windows\MonitorSetup.exe sysa.exe File opened for modification \??\c:\windows\sysa.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File opened for modification \??\c:\windows\WinSys32.exe winsystem.exe File opened for modification \??\c:\windows\WinSys32.exe sysa.exe File opened for modification \??\c:\windows\runrunrun.exe sysa.exe File created \??\c:\windows\WinSystem.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File opened for modification \??\c:\windows\Win System.exe sysa.exe File created \??\c:\windows\windows.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File created \??\c:\windows\sysb.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File opened for modification \??\c:\windows\system\oemlogo.bmp sysb.exe File opened for modification \??\c:\windows\MonitorMission.run sysa.exe File opened for modification \??\c:\windows\system\oeminfo.ini sysa.exe File opened for modification \??\c:\windows\runrunrun.exe sysb.exe File opened for modification \??\c:\windows\SystemMonitor64.exe sysb.exe File opened for modification \??\c:\windows\MonitorSetup.exe sysb.exe File opened for modification \??\c:\windows\sysb.exe b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe File opened for modification \??\c:\windows\runrunrun.exe sysa.exe File created \??\c:\windows\WinSystem.exe sysb.exe File opened for modification \??\c:\windows\Win System.exe sysa.exe File opened for modification \??\c:\windows\SystemMonitor64.exe sysa.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winsystem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\shell winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\NeverShowExt sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.MDBFile\ = "Application" sysa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dat sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\DefaultIcon\ = "C:\\windows\\windows.exe" winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\ = "Application" winsystem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Run As\Command sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "cfgFile" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\ = "Application" sysb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bin sysb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cvd sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bin\ = "cfgFile" sysa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Search\Command winsystem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\DefaultIcon sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exc\ = "excfile" winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\shell\open\command\ = "\"%1\" %*" winsystem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\Shell\Open\Command sysb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\shell\open\command sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Search\Command\ = "C:\\windows\\MonitorMission.run" sysa.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exc winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "cfgFile" sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exc\ = "excfile" sysb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\DefaultIcon winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template.8\ = "Application" sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template.8\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dbfile\ = "Application" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Addin.8\ = "Application" winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.MDBFile\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template.8\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.run\ = "exefile" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\Shell\Open\Command\ = "\"%1\" %*" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.LockFile.14\ = "Application" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cfg\ = "cfgFile" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dat\ = "cfgFile" sysa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Scan for Virus\Command sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exed\ = "exedfile" sysb.exe Set value (data) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\Shell\Open\Command winsystem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\DefaultIcon sysa.exe Set value (data) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exed\ = "exedfile" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\fonfile\ = "Application" winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Scan for Virus\Command\ = "C:\\windows\\MonitorMission.run" sysa.exe Set value (data) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.LockFile.14\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.MDBFile\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.LockFile.14\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" sysa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Search winsystem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\fonfile\ = "Application" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\NeverShowExt sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Scan for Virus\Command\ = "C:\\windows\\winsystem.exe" sysa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cfg sysa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Run As winsystem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Run As\Command sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Addin.8\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\fonfile\ = "Application" sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.run\ = "exefile" sysa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.run sysb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\DefaultIcon sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "cfgFile" sysa.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1496 b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe 3020 winsystem.exe 2260 sysa.exe 2432 sysb.exe 988 sysa.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1496 wrote to memory of 1180 1496 b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe 30 PID 1496 wrote to memory of 1180 1496 b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe 30 PID 1496 wrote to memory of 1180 1496 b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe 30 PID 1496 wrote to memory of 1180 1496 b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe 30 PID 1496 wrote to memory of 3020 1496 b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe 32 PID 1496 wrote to memory of 3020 1496 b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe 32 PID 1496 wrote to memory of 3020 1496 b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe 32 PID 1496 wrote to memory of 3020 1496 b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe 32 PID 3020 wrote to memory of 2260 3020 winsystem.exe 33 PID 3020 wrote to memory of 2260 3020 winsystem.exe 33 PID 3020 wrote to memory of 2260 3020 winsystem.exe 33 PID 3020 wrote to memory of 2260 3020 winsystem.exe 33 PID 2260 wrote to memory of 2432 2260 sysa.exe 34 PID 2260 wrote to memory of 2432 2260 sysa.exe 34 PID 2260 wrote to memory of 2432 2260 sysa.exe 34 PID 2260 wrote to memory of 2432 2260 sysa.exe 34 PID 3020 wrote to memory of 988 3020 winsystem.exe 35 PID 3020 wrote to memory of 988 3020 winsystem.exe 35 PID 3020 wrote to memory of 988 3020 winsystem.exe 35 PID 3020 wrote to memory of 988 3020 winsystem.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\windows\explorer.exec:\windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5_JaffaCakes1182⤵PID:1180
-
-
\??\c:\windows\winsystem.exec:\windows\winsystem.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Blocks application from running via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\windows\sysa.exec:\windows\sysa.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Blocks application from running via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\windows\sysb.exec:\windows\sysb.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Blocks application from running via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2432
-
-
-
\??\c:\windows\sysa.exec:\windows\sysa.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Blocks application from running via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:988
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2972
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5b2483ad0a449f083de08dfc3f6ea52d5
SHA1b2564a83daff947b6cd8bd991c3c97da2b486cc5
SHA2562fae63b5ac9132e0cbe6ed4804af043bf257ed480e432ff6c4278044a3dbe832
SHA512c20e9df0cb777326e0b4f1864562e324f9d888977331197479bc3b50b27643b55796f621168c5f84fdfa22f4de6a555f9e2500e7252945e797b4b9c0769daaf6
-
Filesize
352B
MD50cdffe25655b0a1d50ce48f38ca4ece3
SHA11d491cc0083d21d9ecfa3452c4e53e2340840a3d
SHA25603dad49f74ba11b8deaeb5ea75733f3824a4141134e092cf17843d1f3fe954e4
SHA512e1c5951ad81e8f115099bc6bf6eb20348d97dfc54b3f638b3301150f5d86dc6c855a28e1f603b87d2fb84fb9a17536354a9d07749658be05883296de1cd54b34
-
Filesize
577B
MD5b3b020c4b060bfe84fbbb424221f1073
SHA1eb9e62232504b9180f8a3f718b64cb68e4149b2c
SHA256c13cda99ef7b0a48b7829d4a586483a0c09d0bc2400bf44dbb9efe2fb9c4f2fc
SHA51257c216c612b2c8069a7f3dc8f61f8076d0f1c03dd933699f7fcd9a792e3c907e301575af6021f370809f6f2e0d2efa2ddcf4b6411d056890c728aabb5436a708
-
Filesize
622B
MD5d7f66fc25609ee73edc3fd6b255ff55e
SHA19a7dd2784e53f4a55d0d26d24ca20ec1c937cc7b
SHA256d23bc4f30a9e5f0fedd7688435045bfe6c961c9fea4878b493d15e98aae0446c
SHA512e67612ac8822765e51b071b3f264175527a34378e5eca05196f76d2685be3ad36dae8e5d178890cedbc1ac3364eb875b01ba632332a8c68057ca094d3385f876
-
Filesize
38KB
MD5be6708e2d2b827b96986be51f0fe3c49
SHA1b2ac649475b1561ce74416ca12187e688c2c82ba
SHA256ace4b11d1720f686532407398bf8de75f32dda63cf237d50dd7fbc25612e0af0
SHA512a3f7f06c95eee2cb828ea060e2b618746c8b423602e257a360961744b8b8d57e37e9ba575162be8c8fc3eed9b7792911211ac71eb5c63a57eee42e14a9e09312
-
Filesize
63KB
MD51b382eebf291264ff3dd501af736c9ca
SHA1b96e7e94311b399fac3169fccd0886da60a734ea
SHA2569d48f180598a7d9a3cc7629d112468ebfbd7c0d6ff0edbcbca2fda03db53c2c9
SHA51235c09d820835622c38424ae10929163732e9b125a4d57ccf4d95290a4f9e3c94dbc871075c3fefbde7ae420baa1da2f2b69837854826f8fec3652cf0fa4f716a
-
Filesize
685B
MD51426be8632f29a0c2c879c8c533b0aa8
SHA108b8b741ed94a760afd6995695aa5fa3fe0bbd6d
SHA256341c01d668bdcbe49dabce3bc5a18b85b773f0ad9dca12bceb73b0d29cd32707
SHA512168be384a3826c6e74bb606da4f607b9d4b3f5cc28c383f7e1bf455ba8f915906c3295416c005e3de1757ef379a610cbcb35e6dbcc3cf5154cb973055ef19bdd
