Analysis Overview
SHA256
078a4f6d1fc7ab17969f46111b4c9062ab54f21b214c7d2520b371f75be2ccf2
Threat Level: Known bad
The file c073dc13278b3563542b80888b490e8f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Disables service(s)
Adds policy Run key to start application
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
Deletes itself
Loads dropped DLL
Drops file in System32 directory
Launches sc.exe
Unsigned PE
System Location Discovery: System Language Discovery
Runs net.exe
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 09:35
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 09:35
Reported
2024-08-25 09:38
Platform
win7-20240729-en
Max time kernel
123s
Max time network
126s
Command Line
Signatures
Disables service(s)
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\05dmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kyw41f.exe" | C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\y78nw2o.log | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\y78nw2o.log | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
Runs net.exe
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe"
C:\Windows\SysWOW64\net.exe
net.exe stop "Security Center"
C:\Windows\SysWOW64\sc.exe
sc config wscsvc start= DISABLED
C:\Windows\SysWOW64\net.exe
net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Windows\SysWOW64\sc.exe
sc config SharedAccess start= DISABLED
C:\Users\Admin\AppData\Local\Temp\kyw41f.exe
C:\Users\Admin\AppData\Local\Temp\kyw41f.exe
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\xq4xr07wv.bat
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Windows\SysWOW64\net.exe
net.exe stop "Security Center"
C:\Windows\SysWOW64\sc.exe
sc config wscsvc start= DISABLED
C:\Windows\SysWOW64\net.exe
net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Windows\SysWOW64\sc.exe
sc config SharedAccess start= DISABLED
C:\Users\Admin\AppData\Local\Temp\kyw41f.exe
C:\Users\Admin\AppData\Local\Temp\kyw41f.exe -d4350F11B08CF16C9DE2FDAFD5B1F2AD8B6605C25005B0195264F6F10D83081EBCAB35676EE9B1D739BE22F87B7FC04275C9FC921983399C5360FB5C9A9D6244D9F19A00CB9ABC72A7F84DF569261B3A196904C3C7EF59B9E18BC51240AFC69129BCC424D0926319233F2F0A5DC1F6334DC167B4CF1BD4471182A672C8AFA9F5BD8D1F24BC083B708A094A5F1C711810FE73B2AD573731040BC3B5D3EFB1651B6B0E8A525FD8CF8E0EF8685CEC36DBA25B0DE6ED3C5D5BD75D0DCD85D6F2B4DA8B9C4909A2469D03C890854CD8201FCA970DE9DCEE8D347C85ABFBC3335879F49CF1E28D0D3675C9817F91781F5337337A1E54B531C6FEC55A50B2FB7E01B96FE09D62289ED75F9668279133F4C018C4BFB654E0AE3C128B53A0D95DC40F9BD97C19A738592D94377F2B9CDB3F8F7F40377BDBA7DFF82B99AE1D394EF651BE28C8FDE4F3923F219A4D2D30A50AB6F99514E73E4AE6FEF9B4BA4DE1166A24F118E4D392D60420C974BC9C9D0AF5684A720FA0C623974F00C51CAE5314B872A995C1420C027CF911AF1C28F62ED29DA8B2733250822918F88F9DF1B58C7E5E3051E3D65FF4CEC763F65E44447C99644F228F192EC0286CACD39
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
C:\Windows\SysWOW64\net.exe
net.exe stop "Security Center"
C:\Windows\SysWOW64\sc.exe
sc config wscsvc start= DISABLED
C:\Windows\SysWOW64\net.exe
net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Windows\SysWOW64\sc.exe
sc config SharedAccess start= DISABLED
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Users\Admin\AppData\Local\Temp\kyw41f.exe
C:\Users\Admin\AppData\Local\Temp\kyw41f.exe -d05164EA4F63167B80BFAA780F1B5AA58E731641D0358D94D6C05DFA0AD45BFD54831DFFF3045ED83DAA318B0FEB55D7E4380F21A6EC55509C0F98CF0B3CC8EE737B1FF530F1D967B0FF4E76E44B77361454320504BC0897ABD08CDA849A0BDC9D6B49F82BF94DB704085530701D7356E12DD7D59E9A08DBE173285C8CCBA36F4696EEF43ADEC75A64273DF86B1622D510EEDDCCDD3DDBCF3C54FD4B0D92920FB7721601D87E85E4728484A0012B7248ADFB54CE2D7F4AD68FAF01B8A4D7AE537C446A4A2396ECE244A3E961A21B122676AC02063023D39B62CC9FC7345F72EC95585ACA5F0413DFE3AC904931AC27025D3E5E8F6A1D97BC210B957CF1FF2E48E7080A805199E67D3CF21142D7A3D984B7FD275304071CA669BA84D0C76D8300898C60AE26223426D1D2B89E5FFEE629A15CDD81EADC2C0E20243403428A57B1094C983FAB76F08B57A876238A56AD81078456228F57535E5BAC0D0A752BF6DF2681C034E450B33EF7A7AE19EAB7942C5CE38A4FF65E1431E7758DEA451FCF134586CBB5C79277B90F2BF87088B782A867B6D705A8997433230F48C13C2C42F27EBB71EA20163D989F865154504A458B92546D53B307CCE3A
C:\Windows\SysWOW64\net.exe
net.exe stop "Security Center"
C:\Windows\SysWOW64\sc.exe
sc config wscsvc start= DISABLED
C:\Windows\SysWOW64\net.exe
net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Windows\SysWOW64\sc.exe
sc config SharedAccess start= DISABLED
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | down.installstorm.com | udp |
| US | 8.8.8.8:53 | down.installstorm.com | udp |
Files
memory/1956-0-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1956-3-0x0000000002F60000-0x0000000003A1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kyw41f.exe
| MD5 | c073dc13278b3563542b80888b490e8f |
| SHA1 | 1d6a54bf2ff1818931dcdc4235a4ada8247fc43d |
| SHA256 | 078a4f6d1fc7ab17969f46111b4c9062ab54f21b214c7d2520b371f75be2ccf2 |
| SHA512 | a4fde107254e3bbfb3c38ca7c0f25c5e2287a415fff2a6b0030c77304331c456f07eaec408363fd220ad38334976e4b76c03c9ebd457328f60574fa0605b23ea |
memory/2832-16-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1956-15-0x0000000005650000-0x0000000005688000-memory.dmp
memory/1956-14-0x0000000005650000-0x0000000005688000-memory.dmp
memory/2832-17-0x0000000002FA0000-0x0000000003A5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xq4xr07wv.bat
| MD5 | d36b1960630a883513d357dfc80bf6b4 |
| SHA1 | fdca99228df2dea2cf2e47753f79c54b091f71b7 |
| SHA256 | d9fc6641f9a60c4473512bf8e41eb1a5d79b94ff9d68e27925b907fbb09bf2b6 |
| SHA512 | 4e5794197147c357b682a0bd6013e0dd4a1adbad72d1b7b4211496a3e7807feac97a1e2cd5c78a8f92e6cb39d7afcdd142433933faa272fcd2c555bf16270992 |
memory/1956-25-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2056-34-0x00000000031C0000-0x0000000003C7A000-memory.dmp
memory/2056-31-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2832-30-0x0000000005760000-0x0000000005798000-memory.dmp
memory/2832-35-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2056-36-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2056-37-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2832-42-0x0000000004590000-0x00000000045C8000-memory.dmp
memory/1516-46-0x0000000003050000-0x0000000003B0A000-memory.dmp
memory/1516-47-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1516-48-0x0000000000400000-0x0000000000438000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 09:35
Reported
2024-08-25 09:38
Platform
win10v2004-20240802-en
Max time kernel
136s
Max time network
147s
Command Line
Signatures
Disables service(s)
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\05dmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kyw41f.exe" | C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\y78nw2o.log | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
Runs net.exe
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyw41f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe"
C:\Windows\SysWOW64\net.exe
net.exe stop "Security Center"
C:\Windows\SysWOW64\sc.exe
sc config wscsvc start= DISABLED
C:\Windows\SysWOW64\net.exe
net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Windows\SysWOW64\sc.exe
sc config SharedAccess start= DISABLED
C:\Users\Admin\AppData\Local\Temp\kyw41f.exe
C:\Users\Admin\AppData\Local\Temp\kyw41f.exe
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\7zd60ah5.bat
C:\Windows\SysWOW64\net.exe
net.exe stop "Security Center"
C:\Windows\SysWOW64\sc.exe
sc config wscsvc start= DISABLED
C:\Windows\SysWOW64\net.exe
net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Windows\SysWOW64\sc.exe
sc config SharedAccess start= DISABLED
C:\Users\Admin\AppData\Local\Temp\kyw41f.exe
C:\Users\Admin\AppData\Local\Temp\kyw41f.exe -dE3F0BA50B473FB2479883215DB9F12E0C513D4AD9EC50E9A452C3A45FE16761CB2CB466627525C32275EB61EACE78FAC8447F81013B8114D152C3F4394EBCCA56FE9D67A1E0C806D9B60B43D9B6800127771512175FE9E9B58FCB9CC59AFE49FF4A3DFD03B148526804133669A5992C515DF77400549F1C4586ACE82DEAD0CC85A5316AF5E1DC679BD897723D91DB33D19C53CC343B888D89D1AE281F318D037FAA26FE1A8CCE1F97C15054CCA6A0F907A14B777F2E41FD7F1FD9B1EABEEFE1B6C11212B7A36B35F27A6A3391D9993C673DD3D6F115EB43B5CB9DE5156E4A4728A5B9F6776C25A9E658B54C2C4026C287C386179E291833A2886CF57867D0C646CB3A00B7DE531AE20DB5F73F0BD08CF4FD1FABEE6C40A97DDEAD49D0AB3C6EC6D3617E1AEE5D6E281CA4739111E13E4E3291DDADDA00526447692E9F48A9DF324753A4C6CBD279AF1F0D389D81C7AB2734E1E54CA4A72A2671DED9A9578A03F6B1F7E3358163FE31A1A077838EA6AED778192C9EC688DD08FA00B717FD21ADF5A6E987F510F7D96E3AE28A75FAC51FDA8BE4F65C5DBD4A5448051CE818798464BC67CBD7AD27C6176FCBCEDC121DB4600636987165A03F7
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
C:\Windows\SysWOW64\net.exe
net.exe stop "Security Center"
C:\Windows\SysWOW64\sc.exe
sc config wscsvc start= DISABLED
C:\Windows\SysWOW64\net.exe
net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Windows\SysWOW64\sc.exe
sc config SharedAccess start= DISABLED
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | down.installstorm.com | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | down.installstorm.com | udp |
| US | 8.8.8.8:53 | down.installstorm.com | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | down.installstorm.com | udp |
| US | 8.8.8.8:53 | down.installstorm.com | udp |
| US | 8.8.8.8:53 | down.installstorm.com | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/4736-0-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kyw41f.exe
| MD5 | c073dc13278b3563542b80888b490e8f |
| SHA1 | 1d6a54bf2ff1818931dcdc4235a4ada8247fc43d |
| SHA256 | 078a4f6d1fc7ab17969f46111b4c9062ab54f21b214c7d2520b371f75be2ccf2 |
| SHA512 | a4fde107254e3bbfb3c38ca7c0f25c5e2287a415fff2a6b0030c77304331c456f07eaec408363fd220ad38334976e4b76c03c9ebd457328f60574fa0605b23ea |
memory/4736-11-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zd60ah5.bat
| MD5 | d36b1960630a883513d357dfc80bf6b4 |
| SHA1 | fdca99228df2dea2cf2e47753f79c54b091f71b7 |
| SHA256 | d9fc6641f9a60c4473512bf8e41eb1a5d79b94ff9d68e27925b907fbb09bf2b6 |
| SHA512 | 4e5794197147c357b682a0bd6013e0dd4a1adbad72d1b7b4211496a3e7807feac97a1e2cd5c78a8f92e6cb39d7afcdd142433933faa272fcd2c555bf16270992 |
memory/3628-16-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4128-17-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4128-18-0x0000000000400000-0x0000000000438000-memory.dmp