8acc540558b6b27cb3cb317f518be14c8fa14357c95f9121645b6f05b77ae934

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 23:43 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Size

27KB
MD5

c1d60bd69f7401a7b89e68477568890b
SHA1

69bb44e4deee308720df5d7875ada0713a77500b
SHA256

8acc540558b6b27cb3cb317f518be14c8fa14357c95f9121645b6f05b77ae934
SHA512

03497a5c2283442eb8861ba1354d43652f4088793ee56e2113098e6566f65781829a9afb6cf7db9ade3cc7dfee0960d306da14e7e365617534f6636b11b4c636
SSDEEP

768:vGt/RmafR6e2pjX9rNxpyxc7JbTi3ckCI:vYRVke2p79RxWc7n8

Score

8^/10

discovery persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.kxp	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.kxp\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavUpdate.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavUpdate.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAS.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2272	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened (read-only)	\??\Z:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened (read-only)	\??\G:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened (read-only)	\??\I:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened (read-only)	\??\L:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened (read-only)	\??\S:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened (read-only)	\??\V:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened (read-only)	\??\X:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened (read-only)	\??\H:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened (read-only)	\??\N:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened (read-only)	\??\O:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened (read-only)	\??\U:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened (read-only)	\??\W:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened (read-only)	\??\Y:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened (read-only)	\??\E:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened (read-only)	\??\K:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened (read-only)	\??\M:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened (read-only)	\??\Q:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened (read-only)	\??\R:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened (read-only)	\??\T:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened (read-only)	\??\J:	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File created	C:\AUTORUN.INF	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File created	F:\AUTORUN.INF	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MFCN4213d.DLL	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MFCN4213d.DLL	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wauc11.exe	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\explorer.exe	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wauc11.exe	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3356 set thread context of 2272	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	137

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3708	2272	WerFault.exe	137

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B0C2D475-B884-11D6-9A04-5ED96FC588C3} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Token: SeBackupPrivilege	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Token: SeRestorePrivilege	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Token: SeRestorePrivilege	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Token: SeRestorePrivilege	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Token: SeRestorePrivilege	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Token: SeRestorePrivilege	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Token: SeBackupPrivilege	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Token: SeRestorePrivilege	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Token: SeRestorePrivilege	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Token: SeRestorePrivilege	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Token: SeRestorePrivilege	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
Token: SeRestorePrivilege	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
652	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
652	IEXPLORE.EXE
652	IEXPLORE.EXE
628	IEXPLORE.EXE
628	IEXPLORE.EXE
628	IEXPLORE.EXE
628	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 3540	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	84
PID 3356 wrote to memory of 3540	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	84
PID 3356 wrote to memory of 3540	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	84
PID 3540 wrote to memory of 1124	3540	cmd.exe	86
PID 3540 wrote to memory of 1124	3540	cmd.exe	86
PID 3540 wrote to memory of 1124	3540	cmd.exe	86
PID 1124 wrote to memory of 5080	1124	net.exe	87
PID 1124 wrote to memory of 5080	1124	net.exe	87
PID 1124 wrote to memory of 5080	1124	net.exe	87
PID 3356 wrote to memory of 3896	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	90
PID 3356 wrote to memory of 3896	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	90
PID 3356 wrote to memory of 3896	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	90
PID 3896 wrote to memory of 2112	3896	cmd.exe	92
PID 3896 wrote to memory of 2112	3896	cmd.exe	92
PID 3896 wrote to memory of 2112	3896	cmd.exe	92
PID 2112 wrote to memory of 224	2112	net.exe	93
PID 2112 wrote to memory of 224	2112	net.exe	93
PID 2112 wrote to memory of 224	2112	net.exe	93
PID 3356 wrote to memory of 1904	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	95
PID 3356 wrote to memory of 1904	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	95
PID 3356 wrote to memory of 1904	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	95
PID 1904 wrote to memory of 652	1904	cmd.exe	97
PID 1904 wrote to memory of 652	1904	cmd.exe	97
PID 1904 wrote to memory of 652	1904	cmd.exe	97
PID 652 wrote to memory of 3188	652	net.exe	98
PID 652 wrote to memory of 3188	652	net.exe	98
PID 652 wrote to memory of 3188	652	net.exe	98
PID 3356 wrote to memory of 2708	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	99
PID 3356 wrote to memory of 2708	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	99
PID 3356 wrote to memory of 2708	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	99
PID 2708 wrote to memory of 2764	2708	cmd.exe	101
PID 2708 wrote to memory of 2764	2708	cmd.exe	101
PID 2708 wrote to memory of 2764	2708	cmd.exe	101
PID 2764 wrote to memory of 4764	2764	net.exe	102
PID 2764 wrote to memory of 4764	2764	net.exe	102
PID 2764 wrote to memory of 4764	2764	net.exe	102
PID 3356 wrote to memory of 1628	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	103
PID 3356 wrote to memory of 1628	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	103
PID 3356 wrote to memory of 1628	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	103
PID 1628 wrote to memory of 3420	1628	cmd.exe	105
PID 1628 wrote to memory of 3420	1628	cmd.exe	105
PID 1628 wrote to memory of 3420	1628	cmd.exe	105
PID 3420 wrote to memory of 2932	3420	net.exe	106
PID 3420 wrote to memory of 2932	3420	net.exe	106
PID 3420 wrote to memory of 2932	3420	net.exe	106
PID 3356 wrote to memory of 4092	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	107
PID 3356 wrote to memory of 4092	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	107
PID 3356 wrote to memory of 4092	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	107
PID 4092 wrote to memory of 1588	4092	cmd.exe	109
PID 4092 wrote to memory of 1588	4092	cmd.exe	109
PID 4092 wrote to memory of 1588	4092	cmd.exe	109
PID 1588 wrote to memory of 3908	1588	net.exe	110
PID 1588 wrote to memory of 3908	1588	net.exe	110
PID 1588 wrote to memory of 3908	1588	net.exe	110
PID 3356 wrote to memory of 664	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	112
PID 3356 wrote to memory of 664	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	112
PID 3356 wrote to memory of 664	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	112
PID 664 wrote to memory of 2516	664	cmd.exe	114
PID 664 wrote to memory of 2516	664	cmd.exe	114
PID 664 wrote to memory of 2516	664	cmd.exe	114
PID 2516 wrote to memory of 2200	2516	net.exe	115
PID 2516 wrote to memory of 2200	2516	net.exe	115
PID 2516 wrote to memory of 2200	2516	net.exe	115
PID 3356 wrote to memory of 2396	3356	c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop McShield
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\SysWOW64\net.exe
    net stop McShield
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McShield
      4⤵
      System Location Discovery: System Language Discovery
      PID:5080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop KWhatchsvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\SysWOW64\net.exe
    net stop KWhatchsvc
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop KWhatchsvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop KPfwSvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\net.exe
    net stop KPfwSvc
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:652
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop KPfwSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:3188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Symantec AntiVirus"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\net.exe
    net stop "Symantec AntiVirus"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Symantec AntiVirus"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Symantec AntiVirus Drivers Services"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\net.exe
    net stop "Symantec AntiVirus Drivers Services"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Symantec AntiVirus Drivers Services"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Symantec AntiVirus Definition Watcher"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\SysWOW64\net.exe
    net stop "Symantec AntiVirus Definition Watcher"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Symantec AntiVirus Definition Watcher"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "McAfee Framework ·þÎñ"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\SysWOW64\net.exe
    net stop "McAfee Framework ·þÎñ"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "McAfee Framework ·þÎñ"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "McAfee Framework Service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2396
- - C:\Windows\SysWOW64\net.exe
    net stop "McAfee Framework Service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3548
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "McAfee Framework Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Network Associates McShield"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3616
- - C:\Windows\SysWOW64\net.exe
    net stop "Network Associates McShield"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2328
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Network Associates McShield"
      4⤵
      System Location Discovery: System Language Discovery
      PID:704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Network Associates Task Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:812
- - C:\Windows\SysWOW64\net.exe
    net stop "Network Associates Task Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1640
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Network Associates Task Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Norton AntiVirus Server"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3916
- - C:\Windows\SysWOW64\net.exe
    net stop "Norton AntiVirus Server"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4456
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Norton AntiVirus Server"
      4⤵
      System Location Discovery: System Language Discovery
      PID:716
- C:\Users\Admin\AppData\Local\Temp\c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 12
    3⤵
    - Program crash
    PID:3708
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\packet.dll /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:316
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\pthreadVC.dll /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3532
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\wpcap.dll /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4204
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\npf.sys /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4856
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\npptools.dll /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3548
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\acpidisk.sys /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4948
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\wanpacket.dll /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Documents and Settings\All Users\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯ /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3940
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:652
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:652 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2272 -ip 2272
1⤵
PID:4500

Network

DNS

136.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.32.126.40.in-addr.arpa

IN PTR

Response
DNS

136.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.32.126.40.in-addr.arpa

IN PTR
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7d83c46a29444d949d28984d180d63bd&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7d83c46a29444d949d28984d180d63bd&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3D4CC17C7F0D67D11906D59A7E2A66CA; domain=.bing.com; expires=Fri, 19-Sep-2025 23:43:50 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2926D78628BB42A0903D716456BFB6DB Ref B: LON04EDGE0619 Ref C: 2024-08-25T23:43:50Z
date: Sun, 25 Aug 2024 23:43:49 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=7d83c46a29444d949d28984d180d63bd&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=7d83c46a29444d949d28984d180d63bd&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3D4CC17C7F0D67D11906D59A7E2A66CA

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=bcVC2XBLNcjX2Om6cpW_I7U_G9MVomThY3-ACVJ584o; domain=.bing.com; expires=Fri, 19-Sep-2025 23:43:50 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CF1EE02D3C03468581F37FF4650B009D Ref B: LON04EDGE0619 Ref C: 2024-08-25T23:43:50Z
date: Sun, 25 Aug 2024 23:43:49 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7d83c46a29444d949d28984d180d63bd&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7d83c46a29444d949d28984d180d63bd&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3D4CC17C7F0D67D11906D59A7E2A66CA; MSPTC=bcVC2XBLNcjX2Om6cpW_I7U_G9MVomThY3-ACVJ584o

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E61AF79B7FF14FB7AA1D2222C6A11263 Ref B: LON04EDGE0619 Ref C: 2024-08-25T23:43:50Z
date: Sun, 25 Aug 2024 23:43:49 GMT
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

81.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.144.22.2.in-addr.arpa

IN PTR

Response

81.144.22.2.in-addr.arpa

IN PTR

a2-22-144-81deploystaticakamaitechnologiescom
DNS

api.bing.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

api.bing.com

IN A

Response

api.bing.com

IN CNAME

api-bing-com.e-0001.e-msedge.net

api-bing-com.e-0001.e-msedge.net

IN CNAME

e-0001.e-msedge.net

e-0001.e-msedge.net

IN A

13.107.5.80
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet

150.171.27.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7d83c46a29444d949d28984d180d63bd&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=

tls, http2

2.0kB
9.4kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7d83c46a29444d949d28984d180d63bd&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=7d83c46a29444d949d28984d180d63bd&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7d83c46a29444d949d28984d180d63bd&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=

HTTP Response

204
52.111.227.13:443

322 B
7
204.79.197.200:443

ieonline.microsoft.com

tls

2.3kB
28.7kB
35
33
204.79.197.200:443

ieonline.microsoft.com

tls

1.2kB
8.2kB
15
14

8.8.8.8:53

136.32.126.40.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

136.32.126.40.in-addr.arpa

DNS Request

136.32.126.40.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

81.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

81.144.22.2.in-addr.arpa
8.8.8.8:53

api.bing.com

dns

IEXPLORE.EXE

58 B
134 B
1
1

DNS Request

api.bing.com

DNS Response

13.107.5.80
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AUTORUN.INF

Filesize
143B

MD5
77959cc588db738d0b8fe7e0e71551e2

SHA1
6c87e5994a72ebc9e0a012eecb9572e05820d2f4

SHA256
d1b07ae3ba2f9a1b5522cee988c0c67b3451bec2a61f7ad19bc1c9831c447a9b

SHA512
407931710444de7b0335d30833bae567c06bdb6ce8b77f2140de67902ef12c7ce850bf01cdc16d37fdeb791258a1c7226b440d682e64db9b783b5a1e227a1fdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FGWUB7UN\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe

Filesize
27KB

MD5
c1d60bd69f7401a7b89e68477568890b

SHA1
69bb44e4deee308720df5d7875ada0713a77500b

SHA256
8acc540558b6b27cb3cb317f518be14c8fa14357c95f9121645b6f05b77ae934

SHA512
03497a5c2283442eb8861ba1354d43652f4088793ee56e2113098e6566f65781829a9afb6cf7db9ade3cc7dfee0960d306da14e7e365617534f6636b11b4c636

Download Submit
memory/2272-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3356-0-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/3356-1-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/3356-4-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.