Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 00:11
Static task
static1
Behavioral task
behavioral1
Sample
bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe
-
Size
93KB
-
MD5
bda06e36463d41a1aee9f4f42f944bf8
-
SHA1
9cacb4d9f6aa451340e86f81939b277f9a86282d
-
SHA256
f52242e5b0cf6b9c7910f6da65e1be52296747b12ef6ffbf49bc5df880d97945
-
SHA512
b36d37b0cd30463ceff9ecd10386dc5e253326fec03558de0f20997f1e36b2d40d1f260f2bcf38b81f0852f596c6ade2309ce53a1ea49ebb09b9d3f3e204978f
-
SSDEEP
1536:qrZNNGgxsVd3uYaFBYZFHwiLUOx6yotbSutXufomvVOLCgYbln5e5AY8k+ahG16E:q87Vd3uVYZZwiLJlmPIALCZXlYz7zXI
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2788 2A7A4.exe 2848 2A7A4.exe 888 F1CE1.exe -
Loads dropped DLL 8 IoCs
pid Process 2724 bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe 2724 bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe 2848 2A7A4.exe 2848 2A7A4.exe 888 F1CE1.exe 888 F1CE1.exe 888 F1CE1.exe 888 F1CE1.exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\490XZ60J.txt F1CE1.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\MXRDMZJH.txt F1CE1.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QPQWK913.htm F1CE1.exe File opened for modification C:\Windows\SysWOW64\2A7A4.exe bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\F1CE1.exe 2A7A4.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\8EKDHNLP.txt F1CE1.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\MC8JEVR1.txt F1CE1.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat F1CE1.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\MXRDMZJH.txt F1CE1.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\MC8JEVR1.txt F1CE1.exe File opened for modification C:\Windows\SysWOW64\MSWINSCK.OCX 2A7A4.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\8EKDHNLP.txt F1CE1.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\490XZ60J.txt F1CE1.exe -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2A7A4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2A7A4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F1CE1.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" F1CE1.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 F1CE1.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix F1CE1.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" F1CE1.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3672FCC5-B714-4182-93C1-9663ACBBD70B}\c2-1a-9c-06-72-ed F1CE1.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" F1CE1.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" F1CE1.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 F1CE1.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3672FCC5-B714-4182-93C1-9663ACBBD70B} F1CE1.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3672FCC5-B714-4182-93C1-9663ACBBD70B}\WpadDecisionReason = "1" F1CE1.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3672FCC5-B714-4182-93C1-9663ACBBD70B}\WpadDecision = "0" F1CE1.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3672FCC5-B714-4182-93C1-9663ACBBD70B}\WpadNetworkName = "Network 3" F1CE1.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-1a-9c-06-72-ed F1CE1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ F1CE1.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3672FCC5-B714-4182-93C1-9663ACBBD70B}\WpadDecisionTime = e0305a21baf5da01 F1CE1.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-1a-9c-06-72-ed\WpadDecisionReason = "1" F1CE1.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-1a-9c-06-72-ed\WpadDecisionTime = e0305a21baf5da01 F1CE1.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings F1CE1.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 F1CE1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings F1CE1.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" F1CE1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad F1CE1.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-1a-9c-06-72-ed\WpadDecision = "0" F1CE1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections F1CE1.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0" F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0" F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1 F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX" F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2" F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32 F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment" F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0" F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497" F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0 F1CE1.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX" F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1" F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0" F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0" F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\ F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32 F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX, 1" F1CE1.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0" F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1 F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1" F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} F1CE1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D} F1CE1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" F1CE1.exe -
Runs net.exe
-
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2724 bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe 2788 2A7A4.exe 2848 2A7A4.exe 888 F1CE1.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2724 wrote to memory of 2788 2724 bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe 30 PID 2724 wrote to memory of 2788 2724 bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe 30 PID 2724 wrote to memory of 2788 2724 bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe 30 PID 2724 wrote to memory of 2788 2724 bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe 30 PID 2788 wrote to memory of 2452 2788 2A7A4.exe 31 PID 2788 wrote to memory of 2452 2788 2A7A4.exe 31 PID 2788 wrote to memory of 2452 2788 2A7A4.exe 31 PID 2788 wrote to memory of 2452 2788 2A7A4.exe 31 PID 2724 wrote to memory of 2820 2724 bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe 33 PID 2724 wrote to memory of 2820 2724 bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe 33 PID 2724 wrote to memory of 2820 2724 bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe 33 PID 2724 wrote to memory of 2820 2724 bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe 33 PID 2452 wrote to memory of 2892 2452 cmd.exe 34 PID 2452 wrote to memory of 2892 2452 cmd.exe 34 PID 2452 wrote to memory of 2892 2452 cmd.exe 34 PID 2452 wrote to memory of 2892 2452 cmd.exe 34 PID 2820 wrote to memory of 2832 2820 cmd.exe 36 PID 2820 wrote to memory of 2832 2820 cmd.exe 36 PID 2820 wrote to memory of 2832 2820 cmd.exe 36 PID 2820 wrote to memory of 2832 2820 cmd.exe 36 PID 2892 wrote to memory of 2748 2892 net.exe 37 PID 2892 wrote to memory of 2748 2892 net.exe 37 PID 2892 wrote to memory of 2748 2892 net.exe 37 PID 2892 wrote to memory of 2748 2892 net.exe 37 PID 2832 wrote to memory of 2696 2832 net.exe 38 PID 2832 wrote to memory of 2696 2832 net.exe 38 PID 2832 wrote to memory of 2696 2832 net.exe 38 PID 2832 wrote to memory of 2696 2832 net.exe 38 PID 2848 wrote to memory of 2588 2848 2A7A4.exe 40 PID 2848 wrote to memory of 2588 2848 2A7A4.exe 40 PID 2848 wrote to memory of 2588 2848 2A7A4.exe 40 PID 2848 wrote to memory of 2588 2848 2A7A4.exe 40 PID 2588 wrote to memory of 2752 2588 cmd.exe 42 PID 2588 wrote to memory of 2752 2588 cmd.exe 42 PID 2588 wrote to memory of 2752 2588 cmd.exe 42 PID 2588 wrote to memory of 2752 2588 cmd.exe 42 PID 2752 wrote to memory of 2996 2752 net.exe 43 PID 2752 wrote to memory of 2996 2752 net.exe 43 PID 2752 wrote to memory of 2996 2752 net.exe 43 PID 2752 wrote to memory of 2996 2752 net.exe 43 PID 2848 wrote to memory of 888 2848 2A7A4.exe 44 PID 2848 wrote to memory of 888 2848 2A7A4.exe 44 PID 2848 wrote to memory of 888 2848 2A7A4.exe 44 PID 2848 wrote to memory of 888 2848 2A7A4.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\2A7A4.exeC:\Windows\system32\2A7A4.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\cmd.execmd /c "net start 2A7A4"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\net.exenet start 2A7A44⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start 2A7A45⤵
- System Location Discovery: System Language Discovery
PID:2748
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "net start 2A7A4"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\net.exenet start 2A7A43⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start 2A7A44⤵
- System Location Discovery: System Language Discovery
PID:2696
-
-
-
-
C:\Windows\SysWOW64\2A7A4.exeC:\Windows\SysWOW64\2A7A4.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\cmd.execmd /c "net start 2A7A4"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\net.exenet start 2A7A43⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start 2A7A44⤵
- System Location Discovery: System Language Discovery
PID:2996
-
-
-
-
C:\Windows\SysWOW64\F1CE1.exeC:\Windows\system32\F1CE1.exe eee2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:888
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105KB
MD59484c04258830aa3c2f2a70eb041414c
SHA1b242a4fb0e9dcf14cb51dc36027baff9a79cb823
SHA256bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5
SHA5129d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0
-
Filesize
93KB
MD5bda06e36463d41a1aee9f4f42f944bf8
SHA19cacb4d9f6aa451340e86f81939b277f9a86282d
SHA256f52242e5b0cf6b9c7910f6da65e1be52296747b12ef6ffbf49bc5df880d97945
SHA512b36d37b0cd30463ceff9ecd10386dc5e253326fec03558de0f20997f1e36b2d40d1f260f2bcf38b81f0852f596c6ade2309ce53a1ea49ebb09b9d3f3e204978f
-
Filesize
104KB
MD5ba6117bcfcdec0c687a189abb3e9c010
SHA1abb223c5f68c164a6f0def4cbe73868b57b04827
SHA2564178559c18459ea2364ac131e3d1d4e6d434c700915df96b2a0575c0ceeb4467
SHA51286934c150a03fc2f0951756f4bda02e8a534aec348b21f25a5a0575d45517f15489e33950df120d73f5bd644ce44750cc5a53f5922b243184921cb6feb225b9f