64d52e0c184cb3db319bfd9c5b52d88021b0f98e3da163d467505b37e719605f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
Size

668KB
MD5

c2953e3efeb5e40d514e6b9b77172c80
SHA1

89564191bc6b4fe1c6336fdaf9088a5f14727d08
SHA256

64d52e0c184cb3db319bfd9c5b52d88021b0f98e3da163d467505b37e719605f
SHA512

660d4e6fe8b9d4fbdf161bcb3272f98e17ea9b6b69cd9168a701feeaa6a68829ed5a2a710c357f392a3a4f2f4ae94638db05a6b17c7e2a999f8bd9aade776857
SSDEEP

12288:kw1x9pq1SvKxYxMgv0sz001741PymqzV/GwcLQo3wk/LJKCGtqA8Vu8NzWsy:kw1x9pq1SvKxYxMW0sn1E1Prqp/GwaQf

Score

7^/10

discovery

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	.txt

Executes dropped EXE 8 IoCs

pid	Process
4656	.txt
3412	.txt
912	.txt
2424	.txt
2532	.txt
4392	.txt
1940	.txt
1308	.txt

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\.txt	.txt
File created	C:\Windows\SysWOW64\.txt	.txt
File opened for modification	C:\Windows\SysWOW64\.txt	.txt
File opened for modification	C:\Windows\SysWOW64\.txt	.txt
File created	C:\Windows\SysWOW64\.txt	.txt
File created	C:\Windows\SysWOW64\.txt	.txt
File opened for modification	C:\Windows\SysWOW64\.txt	.txt
File created	C:\Windows\SysWOW64\.txt	.txt
File opened for modification	C:\Windows\SysWOW64\.txt	.txt
File created	C:\Windows\SysWOW64\.txt	.txt
File opened for modification	C:\Windows\SysWOW64\.txt	.txt
File created	C:\Windows\SysWOW64\.txt	.txt
File opened for modification	C:\Windows\SysWOW64\.txt	.txt
File created	C:\Windows\SysWOW64\.txt	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\.txt	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\.txt	.txt
File opened for modification	C:\Windows\SysWOW64\.txt	.txt
File created	C:\Windows\SysWOW64\.txt	.txt

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.txt

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tyROxydisHSSp = "_K]lU]ZcKjAV{RTKhEs^YBvM"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uiafcnzhq = "T@xYS\x7fa\x7f@vz]NZeqryUTV[B`z`"	.txt
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uiafcnzhq = "T@xYS\x7fa\x7f@vz]N[AqryUTmT~jI`"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\xsuI = "FMlfgXi@iTMWmH[bKBQe\\N_L"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\WXgbex = "jmo]NaWe`u{FH\|Gifm]wHZ"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\WXgbex = "jmnMNaWe`uzVH\|Gifm]wHZ"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uiafcnzhq = "T@xYS\x7fa\x7f@vz]NZ]qryUTTJkohp"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\WXgbex = "jmo]NaWe`u{FH\|Gifm^GHZ"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\adwqbbhRz = "YDsh}zB^Zn\|hWU^I\\"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uiafcnzhq = "T@xYS\x7fa\x7f@vz]N[MqryUTP`}ODp"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uiafcnzhq = "T@xYS\x7fa\x7f@vz]NZuqryUTjYj_@p"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\xsuI = "FMlfgXi@iTMWmH[bKBQe\\N_L"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InProcServer32\ = "%SystemRoot%\\SysWow64\\ConnectedAccountState.dll"	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tyROxydisHSSp = "_K]lU]ZcKjAV{STKhEULIBvM"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ooVlvybkygenl = "FGfWvBTvm^KhtbmEnrnt"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\WXgbex = "jmn]NaWe`uzFH\|Gifm]wHZ"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ooVlvybkygenl = "FGfWvBTvm^KhtbmEnrnt"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\WXgbex = "jmo}NaWe`u{fH\|Gifm^GHZ"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ooVlvybkygenl = "FGfWvBTvm^KhtbmEnrnt"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tyROxydisHSSp = "_K]lU]ZcKjAV{RTKhEs^YBvM"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hsekqjmeu = "pXMblZ~^aTCqd{XBj\x7fELxDk\\^MFU_"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tyROxydisHSSp = "_K]lU]ZcKjAV{RTKhEs^YBvM"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\adwqbbhRz = "YDsh}zB^Zn\|hWU^I\\"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\WXgbex = "jmoMNaWe`u{VH\|Gifm]wHZ"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\WXgbex = "jmlmNaWe`uxvH\|Gifm]wHZ"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uiafcnzhq = "T@xYS\x7fa\x7f@vz]NYyqryUT^DkZw@"	.txt
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hsekqjmeu = "pXMblZ~^aTCqd{XBj\x7fELxDk\\^MFU_"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uiafcnzhq = "T@xYS\x7fa\x7f@vz]NZqqryUTF[O\x7fO`"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uiafcnzhq = "T@xYS\x7fa\x7f@vz]N[uqryUTIEjNH@"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\WXgbex = "jmo}NaWe`u{fH\|Gifm]wHZ"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\adwqbbhRz = "YDsh}zB^Zn\|hWU^I\\"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\WXgbex = "jmo]NaWe`u{FH\|Gifm]wHZ"	.txt
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InProcServer32	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uiafcnzhq = "T@xYS\x7fa\x7f@vz]N[aqryUTEAreKp"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uiafcnzhq = "T@xYS\x7fa\x7f@vz]N[]qryUTkR~JVp"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uiafcnzhq = "T@xYS\x7fa\x7f@vz]N[UqryUTbeypZ`"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\adwqbbhRz = "YDsh}zB^Zn\|hWU^I\\"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uiafcnzhq = "T@xYS\x7fa\x7f@vz]NZUqryUT]}lUd`"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\WXgbex = "jmomNaWe`u{vH\|Gifm]wHZ"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uiafcnzhq = "T@xYS\x7fa\x7f@vz]N[EqryUTAV[JFp"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\WXgbex = "jmoMNaWe`u{VH\|Gifm^GHZ"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uiafcnzhq = "T@xYS\x7fa\x7f@vz]NZMqryUToxhjzp"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\WXgbex = "jml}NaWe`uxfH\|Gifm]wHZ"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\xsuI = "FMlfgXi@iTMWmH[bKBQe\\N_L"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uiafcnzhq = "T@xYS\x7fa\x7f@vz]NY}qryUTrFNzxP"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\WXgbex = "jmomNaWe`u{vH\|Gifm^GHZ"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hsekqjmeu = "pXMblZ~^aTCqd{XBj\x7fELxDk\\^MFU_"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uiafcnzhq = "T@xYS\x7fa\x7f@vz]NZYqryUTxHNOg`"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\WXgbex = "jmlmNaWe`uxvH\|Gifm]wHZ"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\WXgbex = "jmo}NaWe`u{fH\|Gifm]wHZ"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hsekqjmeu = "pXMblZ~^aTCqd{XBj\x7fELxDk\\^MFU_"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ = "Connected Account State Change"	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tyROxydisHSSp = "_K]lU]ZcKjAV{RTKhEs^YBvM"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\WXgbex = "jmomNaWe`u{vH\|Gifm]wHZ"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hsekqjmeu = "pXMblZ~^aTCqd{XBj\x7fELxDk\\^MFU_"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ooVlvybkygenl = "FGfWvBTvm^KhtbmEnrnt"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uiafcnzhq = "T@xYS\x7fa\x7f@vz]N[IqryUT\|bXoK`"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tyROxydisHSSp = "_K]lU]ZcKjAV{RTKhEs^YBvM"	.txt
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\xsuI = "FMlfgXi@iTMWmH[bKBQe\\N_L"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uiafcnzhq = "T@xYS\x7fa\x7f@vz]NYqqryUTWsl`{P"	.txt

NTFS ADS 9 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:C980DA7D	.txt
File opened for modification	C:\ProgramData\TEMP:C980DA7D	.txt
File opened for modification	C:\ProgramData\TEMP:C980DA7D	.txt
File opened for modification	C:\ProgramData\TEMP:C980DA7D	.txt
File created	C:\ProgramData\TEMP:C980DA7D	.txt
File opened for modification	C:\ProgramData\TEMP:C980DA7D	.txt
File opened for modification	C:\ProgramData\TEMP:C980DA7D	.txt
File opened for modification	C:\ProgramData\TEMP:C980DA7D	.txt
File opened for modification	C:\ProgramData\TEMP:C980DA7D	.txt

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: 33	4184	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4184	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
Token: 33	4656	.txt
Token: SeIncBasePriorityPrivilege	4656	.txt
Token: 33	3412	.txt
Token: SeIncBasePriorityPrivilege	3412	.txt
Token: 33	912	.txt
Token: SeIncBasePriorityPrivilege	912	.txt
Token: 33	2424	.txt
Token: SeIncBasePriorityPrivilege	2424	.txt
Token: 33	2532	.txt
Token: SeIncBasePriorityPrivilege	2532	.txt
Token: 33	4392	.txt
Token: SeIncBasePriorityPrivilege	4392	.txt
Token: 33	1940	.txt
Token: SeIncBasePriorityPrivilege	1940	.txt
Token: 33	1308	.txt
Token: SeIncBasePriorityPrivilege	1308	.txt

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 4656	4184	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe	93
PID 4184 wrote to memory of 4656	4184	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe	93
PID 4184 wrote to memory of 4656	4184	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe	93
PID 4656 wrote to memory of 3412	4656	.txt	97
PID 4656 wrote to memory of 3412	4656	.txt	97
PID 4656 wrote to memory of 3412	4656	.txt	97
PID 3412 wrote to memory of 912	3412	.txt	108
PID 3412 wrote to memory of 912	3412	.txt	108
PID 3412 wrote to memory of 912	3412	.txt	108
PID 912 wrote to memory of 2424	912	.txt	109
PID 912 wrote to memory of 2424	912	.txt	109
PID 912 wrote to memory of 2424	912	.txt	109
PID 2424 wrote to memory of 2532	2424	.txt	111
PID 2424 wrote to memory of 2532	2424	.txt	111
PID 2424 wrote to memory of 2532	2424	.txt	111
PID 2532 wrote to memory of 4392	2532	.txt	112
PID 2532 wrote to memory of 4392	2532	.txt	112
PID 2532 wrote to memory of 4392	2532	.txt	112
PID 4392 wrote to memory of 1940	4392	.txt	113
PID 4392 wrote to memory of 1940	4392	.txt	113
PID 4392 wrote to memory of 1940	4392	.txt	113
PID 1940 wrote to memory of 1308	1940	.txt	114
PID 1940 wrote to memory of 1308	1940	.txt	114
PID 1940 wrote to memory of 1308	1940	.txt	114

C:\Users\Admin\AppData\Local\Temp\c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Windows\SysWOW64\.txt
  C:\Windows\system32\.txt 1420 "C:\Users\Admin\AppData\Local\Temp\c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\SysWOW64\.txt
    C:\Windows\system32\.txt 1532 "C:\Windows\SysWOW64\.txt"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\SysWOW64\.txt
      C:\Windows\system32\.txt 1540 "C:\Windows\SysWOW64\.txt"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:912
    - - C:\Windows\SysWOW64\.txt
        
        C:\Windows\system32\.txt 1528 "C:\Windows\SysWOW64\.txt"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\SysWOW64\.txt
        
        C:\Windows\system32\.txt 1516 "C:\Windows\SysWOW64\.txt"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\.txt
        
        C:\Windows\system32\.txt 1548 "C:\Windows\SysWOW64\.txt"
        7⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\.txt
        
        C:\Windows\system32\.txt 1552 "C:\Windows\SysWOW64\.txt"
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\.txt
        
        C:\Windows\system32\.txt 1512 "C:\Windows\SysWOW64\.txt"
        9⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
87ed3f9b54fa37e6848aead5b2bfca14

SHA1
95b7c98d6a661d02777da0022f58ce3fc63e5635

SHA256
4b423bd38144e86c73e13c956fcd23ad019ae537211bcb49faa92957e22ddf01

SHA512
48b5a8ca3bf5c5bc4462f7a79e93f09a738445de600c9bb9df6b8591c723d81c1db72067b7fa1e013206a31644b3758ac8eadb2fd86f43d20879952a9405bc03

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
8ef91dfc912eb8257c0d2b6e3c1b837b

SHA1
4754f5d510f60b06933e96e13b6a565bf4552476

SHA256
ca64673218e704421f01ac42fc717848bd78a10745572cfb1e7f6af182754494

SHA512
90d66fa3bf923ab772aec358f5cea41f7989d18c0db44b45b1a4ab542253a093d58ea12710271264cc20b4a5cb4c5199e9ec30c7cae58f7fec56e55ff9222140

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
6c008acd338f1c0d3b45ceb89312d114

SHA1
5d12916f3ba159659cd7a9183199d84e6e5aa5ab

SHA256
010de5936305ecea731939f0532036779e0528ee78500429e4ca83427c5d39ed

SHA512
75ce96f55451256c16655a46a582be23751370960349a65e6251202f8c243be824753b776f6ba5686fdf970e40b262a8d326a7a6070e3beb133252f9eec7e312

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
5bba62694c0f609ae90d9fb845e97952

SHA1
8376c1fceff0e2456fcc9f26f4000cef613c5ba6

SHA256
897002bc8026b9c977506c54231549ea75b102084082cd56bf2587999c45de3a

SHA512
1820d03fb79f5814366b3629574ca6a5acfc79b3bcede732fd440cbd4094cc2c039b4167355a7d325e204effe6c6a78995daa092cad8e18a959b5192e9aef7be

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
7a3b0c2df05c67f23a96ff4619f0e285

SHA1
89650d4e25b1491036a33dbf42291c131524caff

SHA256
b1850336663d266f4df177eb15f1032685e84490f6fdae932c5bb5ab593a05ac

SHA512
c134d3f83f9e646f70cdc7f2fa33b761068187bfcf5db8b4620fa1085a47b9d0a11d08339f5912e0a4f2e8210d867c253bfbf714434dabec08a4f89fbfc8f5ce

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
1b2fa1feecc76acb8a61eb34280f2bff

SHA1
3ce1c70bbdbe79ce7c0edfcbe324a12680e57c69

SHA256
2b86c9a8818c025042389cc65343f621601b4ddc17e3c1add2ba93d48d6a8b20

SHA512
86d2075eb060103331ab65ec47f37ae45687b0b87d511ee7cf77506562923c244249adf812772b4af20c693d222852f98898b4f0e8b3610a4cc0369ce76e27e0

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
05e6eeed6aa7ff0bc3263802b272cc66

SHA1
cd01396921a618bdbcf08cee8a33fcbd0a279c67

SHA256
faae9422965981b5ca582967b24b240484f0ca4798f68c8457a9ee6ac73f7e23

SHA512
d18b2133cc012108b601c119b29421b5caf434266137cbb545c425f60536854335783dc11bbbd43e05ca963542b7414ba33adadd6b10638e303294e89d8f6785

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
884258a12a74c11c6fcbd6c0101d0148

SHA1
31eb6e5de1325c108ed1de625db8ed8f67ac9974

SHA256
d70bebb310b57f016ca3f49a17d4b07fcc52f7e9b7f82ea036751a6b1ffc9201

SHA512
a63b68ff46ebf945819e4b9ce465802c34120e3d09b59d0329286b934adc87b5fd359ef683478fdf085ef5bf7bb4e2038401aaa092330356cbd85147c10bd0d0

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
3a7bdf41685b21e351e6378e4d479dad

SHA1
c7aa85e9984e380c3ad62b33a59890c8368df29c

SHA256
091d3c3755be3de09a8e3666e5946dce548cb7054772e301bb8ce823b47f8db7

SHA512
0d58cdd2ce2f0326e7289102adaad932bce925a8e71414319bb91718d3e1425b28b574a2feb92868a8e131e00b81de0380f277cb6485df917943dfbb83e27ec9

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
e71e62b0ae93ce14eb5718c140961116

SHA1
5db9b1aacf1cadf9b58de4db6adcfe852a7c3884

SHA256
63bbe7e9e652779372dd12cdc03352e1f41fa13eff7c312b9b368363913083c6

SHA512
9f9460010944a22dba5b16547d83b10c7a8b59820109334905c1f4fad6285bd53d3dfb9ee2f4b46d26a454d157fcea17a51a945e5ae89407b9444117d6816e38

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
cc44770a5cae6ea032fa496f5aa6db6d

SHA1
0d4739bc4f5b74c81771d8fdbd1c2754cedfb229

SHA256
2412a74a0c0ace4858330e52a9676fc5e76ed287da2aaedd5fe52ca9ff656f7b

SHA512
23864de02454c787437772db25ae31b6dd0c285aaca3f851f2a615bad2f0b2afa9fa194b1b13b1877f6b4a3db32f7855c1f2a4c5ce2ba5b867f2bb4bf10600c3

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
22e02217543afdf520211b99b969ada2

SHA1
61ec030532b2a81ac7bae05965c89c6be241dc23

SHA256
3063fb0a04147220a733d2daa0582b993409136f335f44ee75b616dcf869b257

SHA512
c1116dcd2a0cebcbd5cb856fe84161e6c40746761a4f40f5288c4a8de21e08667b672f6918d9a7ad43642eec87a5e7899666ff1bd01c85f13d25d3829849fe03

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
715461b50e27922a81cd13402de29ba4

SHA1
feaa7ee37ff612e3df32b35a4502ebc25baab171

SHA256
2429751f466cf623687db4a234f39baf325a6a7492d5a2196ded5b136e542797

SHA512
0c68c334294568be81f6ad64415ac316aa2c71af5e52ed618f23c178a037cd2b6811a67f5e7eb1e8a43f3d5612a35da8443ce65199a5c10e64e6a79a87e33942

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
fa00da4185e2b83c5d443ebef497c00e

SHA1
e512197fb0806b4d275590e89c79443b1e516d75

SHA256
9cdf65d1249ad836af090bf8b2cfb80f304635d4ba1df336478b5173eb19fc75

SHA512
981baec9d92e6598d3017566f909b63d80c578455d3cfc6fd1ebb8ead5cca35d48ae7b2544fdf0a055045b8f4f4e85944a3aaf97bdde07b00f6f5d7f9b6da36a

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
c1a9ac9253e3d17774ab3412ff400af1

SHA1
4b89e3790d9410ed93441dd0b7ce33f922abb234

SHA256
92570c9a75b0e1b87658e9ae83a723a3565c86b6adf85cb0be03b6c01b867a26

SHA512
0ea2d21dc0ed5c2d965acf4b35a8301a9661b73d616b20cffd7bbd95b5249270d46c490d18979c2580163a371e7d0997bfc2547ff06ceb0aa979d5623c5e9812

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
fb0d8398e4ca6abcc88579b83c03376a

SHA1
823c9032c4cc900276226dc191fe399ef360ee88

SHA256
ee22dbd5659bef3dd647f523bd6f4f93874e6e51bd1df98ed101d17e3d2493de

SHA512
36ce38bdd3687b4b525f23db4755c4cc35cb8fdeae0f37dc114d66e411a9729948a39b822a994351ca1c86b8342455c1ecd5b3286f7adb34709cfc95c1903cc4

Download Submit
C:\Windows\SysWOW64\.txt

Filesize
668KB

MD5
c2953e3efeb5e40d514e6b9b77172c80

SHA1
89564191bc6b4fe1c6336fdaf9088a5f14727d08

SHA256
64d52e0c184cb3db319bfd9c5b52d88021b0f98e3da163d467505b37e719605f

SHA512
660d4e6fe8b9d4fbdf161bcb3272f98e17ea9b6b69cd9168a701feeaa6a68829ed5a2a710c357f392a3a4f2f4ae94638db05a6b17c7e2a999f8bd9aade776857

Download Submit
memory/912-94-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/912-71-0x00000000006D0000-0x000000000071C000-memory.dmp

Filesize
304KB

Download
memory/912-85-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/912-87-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/912-88-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/912-89-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/912-92-0x00000000006D0000-0x000000000071C000-memory.dmp

Filesize
304KB

Download
memory/912-90-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/912-91-0x00000000006D0000-0x000000000071C000-memory.dmp

Filesize
304KB

Download
memory/912-86-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/1308-229-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/1940-202-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2424-121-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2532-148-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/3412-61-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/3412-44-0x0000000000680000-0x00000000006CC000-memory.dmp

Filesize
304KB

Download
memory/3412-59-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/3412-65-0x0000000000680000-0x00000000006CC000-memory.dmp

Filesize
304KB

Download
memory/3412-68-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/3412-58-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/3412-62-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/3412-63-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/3412-81-0x0000000000680000-0x00000000006CC000-memory.dmp

Filesize
304KB

Download
memory/3412-64-0x0000000000680000-0x00000000006CC000-memory.dmp

Filesize
304KB

Download
memory/3412-60-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/4184-8-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/4184-29-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/4184-2-0x00000000006A0000-0x00000000006EC000-memory.dmp

Filesize
304KB

Download
memory/4184-7-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/4184-10-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/4184-13-0x00000000006A0000-0x00000000006EC000-memory.dmp

Filesize
304KB

Download
memory/4184-12-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/4184-11-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/4184-9-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/4184-0-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/4184-28-0x00000000006A0000-0x00000000006EC000-memory.dmp

Filesize
304KB

Download
memory/4392-175-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/4656-31-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/4656-21-0x0000000000650000-0x000000000069C000-memory.dmp

Filesize
304KB

Download
memory/4656-36-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/4656-37-0x0000000000650000-0x000000000069C000-memory.dmp

Filesize
304KB

Download
memory/4656-54-0x0000000000650000-0x000000000069C000-memory.dmp

Filesize
304KB

Download
memory/4656-35-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/4656-34-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/4656-32-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/4656-33-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/4656-38-0x0000000000650000-0x000000000069C000-memory.dmp

Filesize
304KB

Download
memory/4656-40-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download