028ea4745a0add6ef3cdbff5373c07a1f0d3db2f3ee879bcb61b3ed1feefa658

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28/08/2024, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
Size

96KB
MD5

c7b407d57fe62574099a38ae40c4dfd0
SHA1

e4691b503ed5f4010e2d36720fe5883e9bbf0f12
SHA256

028ea4745a0add6ef3cdbff5373c07a1f0d3db2f3ee879bcb61b3ed1feefa658
SHA512

5d1e6204cb099178f51f3cbfb138842bbf796530d90a9aa24d8518e9b4e0e781436ebc0208ea3f1f52b802603fa081a0e98e6a60c0c2948117157b73cfedde7c
SSDEEP

1536:n3NoR4cNMZuMsU2/5+gGrd2OTaOImokQYQ6YRwr30Fpb+4D5K3TPVXC:O44MZuMsUc9GrNqm7QYoCcpS4gE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2800	services.exe
2264	services.exe
2232	services.exe
2220	services.exe
1052	services.exe
2412	services.exe
2844	services.exe
2488	services.exe
1808	services.exe
1856	services.exe

Loads dropped DLL 64 IoCs

pid	Process
2236	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
2236	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
2800	services.exe
2960	WerFault.exe
2960	WerFault.exe
2960	WerFault.exe
2960	WerFault.exe
2960	WerFault.exe
2728	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
2264	services.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2536	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
2232	services.exe
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
784	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
2220	services.exe
972	WerFault.exe
972	WerFault.exe
972	WerFault.exe
972	WerFault.exe
972	WerFault.exe
1956	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
1052	services.exe
2420	WerFault.exe
2420	WerFault.exe
2420	WerFault.exe
2420	WerFault.exe
2420	WerFault.exe
1372	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
2412	services.exe
1264	WerFault.exe
1264	WerFault.exe
1264	WerFault.exe
1264	WerFault.exe
1264	WerFault.exe
316	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
2844	services.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
2600	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
2488	services.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
2796	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
1808	services.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe

Drops file in Windows directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\services.exe	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
File opened for modification	C:\Windows\system\services.exe	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
File opened for modification	C:\Windows\system\services.ini	services.exe
File opened for modification	C:\Windows\system\services.exe	services.exe
File opened for modification	C:\Windows\system\services.exe	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
File opened for modification	C:\Windows\system\services.ini	services.exe
File opened for modification	C:\Windows\system\services.ini	services.exe
File opened for modification	C:\Windows\system\services.exe	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
File opened for modification	C:\Windows\system\services.ini	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
File opened for modification	C:\Windows\system\services.ini	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
File opened for modification	C:\Windows\system\win32p.reg	services.exe
File opened for modification	C:\Windows\system\services.ini	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
File opened for modification	C:\Windows\system\services.ini	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
File opened for modification	C:\Windows\system\services.exe	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
File opened for modification	C:\Windows\system\services.exe	services.exe
File opened for modification	C:\Windows\system\services.ini	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
File opened for modification	C:\Windows\system\services.exe	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
File opened for modification	C:\Windows\system\services.ini	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
File opened for modification	C:\Windows\system\services.exe	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
File opened for modification	C:\Windows\system\services.ini	services.exe
File opened for modification	C:\Windows\system\services.ini	services.exe
File opened for modification	C:\Windows\system\win32p.reg	services.exe
File opened for modification	C:\Windows\system\services.ini	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
File opened for modification	C:\Windows\system\services.ini	services.exe
File opened for modification	C:\Windows\system\win32p.reg	services.exe
File opened for modification	C:\Windows\system\services.exe	services.exe
File opened for modification	C:\Windows\system\services.ini	services.exe
File opened for modification	C:\Windows\system\win32p.reg	services.exe
File opened for modification	C:\Windows\system\win32p.reg	services.exe
File opened for modification	C:\Windows\system\services.ini	services.exe
File opened for modification	C:\Windows\system\services.ini	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
File opened for modification	C:\Windows\system\services.exe	services.exe
File opened for modification	C:\Windows\system\services.ini	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
File opened for modification	C:\Windows\system\services.exe	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
File opened for modification	C:\Windows\system\services.exe	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
File opened for modification	C:\Windows\system\services.exe	services.exe
File opened for modification	C:\Windows\system\services.exe	services.exe
File opened for modification	C:\Windows\system\services.exe	services.exe
File opened for modification	C:\Windows\system\services.exe	services.exe
File opened for modification	C:\Windows\system\win32p.reg	services.exe
File opened for modification	C:\Windows\system\services.ini	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
File opened for modification	C:\Windows\system\win32p.reg	services.exe
File opened for modification	C:\Windows\system\services.exe	services.exe
File opened for modification	C:\Windows\system\services.exe	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
File opened for modification	C:\Windows\system\services.ini	services.exe
File opened for modification	C:\Windows\system\win32p.reg	services.exe
File opened for modification	C:\Windows\system\win32p.reg	services.exe
File opened for modification	C:\Windows\system\services.ini	services.exe
File opened for modification	C:\Windows\system\win32p.reg	services.exe
File opened for modification	C:\Windows\system\services.exe	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 20 IoCs

pid	pid_target	Process	procid_target
2824	2236	WerFault.exe	29
2960	2800	WerFault.exe	30
2256	2728	WerFault.exe	32
2180	2264	WerFault.exe	34
2320	2536	WerFault.exe	36
1964	2232	WerFault.exe	38
2152	784	WerFault.exe	40
972	2220	WerFault.exe	42
696	1956	WerFault.exe	44
2420	1052	WerFault.exe	46
2004	1372	WerFault.exe	48
1264	2412	WerFault.exe	50
2096	316	WerFault.exe	52
1304	2844	WerFault.exe	54
2896	2600	WerFault.exe	56
2384	2488	WerFault.exe	58
2172	2796	WerFault.exe	60
840	1808	WerFault.exe	62
1756	2428	WerFault.exe	64
844	1856	WerFault.exe	66

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious behavior: GetForegroundWindowSpam 11 IoCs

pid	Process
2236	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
2728	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
2536	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
784	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
1956	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
1372	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
316	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
2600	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
2796	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
2428	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
1016	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2236	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
2800	services.exe
2728	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
2264	services.exe
2536	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
2232	services.exe
784	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
2220	services.exe
1956	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
1052	services.exe
1372	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
2412	services.exe
316	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
2844	services.exe
2600	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
2488	services.exe
2796	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
1808	services.exe
2428	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
1856	services.exe
1016	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2800	2236	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2800	2236	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2800	2236	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2800	2236	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2824	2236	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	31
PID 2236 wrote to memory of 2824	2236	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	31
PID 2236 wrote to memory of 2824	2236	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	31
PID 2236 wrote to memory of 2824	2236	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	31
PID 2800 wrote to memory of 2728	2800	services.exe	32
PID 2800 wrote to memory of 2728	2800	services.exe	32
PID 2800 wrote to memory of 2728	2800	services.exe	32
PID 2800 wrote to memory of 2728	2800	services.exe	32
PID 2800 wrote to memory of 2960	2800	services.exe	33
PID 2800 wrote to memory of 2960	2800	services.exe	33
PID 2800 wrote to memory of 2960	2800	services.exe	33
PID 2800 wrote to memory of 2960	2800	services.exe	33
PID 2728 wrote to memory of 2264	2728	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	34
PID 2728 wrote to memory of 2264	2728	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	34
PID 2728 wrote to memory of 2264	2728	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	34
PID 2728 wrote to memory of 2264	2728	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	34
PID 2728 wrote to memory of 2256	2728	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	35
PID 2728 wrote to memory of 2256	2728	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	35
PID 2728 wrote to memory of 2256	2728	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	35
PID 2728 wrote to memory of 2256	2728	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	35
PID 2264 wrote to memory of 2536	2264	services.exe	36
PID 2264 wrote to memory of 2536	2264	services.exe	36
PID 2264 wrote to memory of 2536	2264	services.exe	36
PID 2264 wrote to memory of 2536	2264	services.exe	36
PID 2264 wrote to memory of 2180	2264	services.exe	37
PID 2264 wrote to memory of 2180	2264	services.exe	37
PID 2264 wrote to memory of 2180	2264	services.exe	37
PID 2264 wrote to memory of 2180	2264	services.exe	37
PID 2536 wrote to memory of 2232	2536	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	38
PID 2536 wrote to memory of 2232	2536	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	38
PID 2536 wrote to memory of 2232	2536	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	38
PID 2536 wrote to memory of 2232	2536	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	38
PID 2536 wrote to memory of 2320	2536	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	39
PID 2536 wrote to memory of 2320	2536	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	39
PID 2536 wrote to memory of 2320	2536	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	39
PID 2536 wrote to memory of 2320	2536	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	39
PID 2232 wrote to memory of 784	2232	services.exe	40
PID 2232 wrote to memory of 784	2232	services.exe	40
PID 2232 wrote to memory of 784	2232	services.exe	40
PID 2232 wrote to memory of 784	2232	services.exe	40
PID 2232 wrote to memory of 1964	2232	services.exe	41
PID 2232 wrote to memory of 1964	2232	services.exe	41
PID 2232 wrote to memory of 1964	2232	services.exe	41
PID 2232 wrote to memory of 1964	2232	services.exe	41
PID 784 wrote to memory of 2220	784	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	42
PID 784 wrote to memory of 2220	784	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	42
PID 784 wrote to memory of 2220	784	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	42
PID 784 wrote to memory of 2220	784	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	42
PID 784 wrote to memory of 2152	784	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	43
PID 784 wrote to memory of 2152	784	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	43
PID 784 wrote to memory of 2152	784	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	43
PID 784 wrote to memory of 2152	784	c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe	43
PID 2220 wrote to memory of 1956	2220	services.exe	44
PID 2220 wrote to memory of 1956	2220	services.exe	44
PID 2220 wrote to memory of 1956	2220	services.exe	44
PID 2220 wrote to memory of 1956	2220	services.exe	44
PID 2220 wrote to memory of 972	2220	services.exe	45
PID 2220 wrote to memory of 972	2220	services.exe	45
PID 2220 wrote to memory of 972	2220	services.exe	45
PID 2220 wrote to memory of 972	2220	services.exe	45

C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\system\services.exe
  "C:\Windows\system\services.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\system\services.exe
      "C:\Windows\system\services.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Windows\system\services.exe
        
        "C:\Windows\system\services.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe"
        7⤵
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\system\services.exe
        
        "C:\Windows\system\services.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe"
        9⤵
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Windows\system\services.exe
        
        "C:\Windows\system\services.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe"
        11⤵
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Windows\system\services.exe
        
        "C:\Windows\system\services.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe"
        13⤵
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Windows\system\services.exe
        
        "C:\Windows\system\services.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe"
        15⤵
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Windows\system\services.exe
        
        "C:\Windows\system\services.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe"
        17⤵
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        C:\Windows\system\services.exe
        
        "C:\Windows\system\services.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe"
        19⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Windows\system\services.exe
        
        "C:\Windows\system\services.exe"
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7b407d57fe62574099a38ae40c4dfd0_JaffaCakes118.exe"
        21⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:1016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 496
        21⤵
        Program crash
        
        PID:844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 388
        20⤵
        Program crash
        
        PID:1756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 440
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 388
        18⤵
        Program crash
        
        PID:2172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 492
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:2384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 388
        16⤵
        Program crash
        
        PID:2896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 464
        15⤵
        Loads dropped DLL
        Program crash
        
        PID:1304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 504
        14⤵
        Program crash
        
        PID:2096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 464
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:1264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 388
        12⤵
        Program crash
        
        PID:2004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 440
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:2420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 388
        10⤵
        Program crash
        
        PID:696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 504
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 388
        8⤵
        Program crash
        
        PID:2152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 464
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1964
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 388
        6⤵
        Program crash
        
        PID:2320
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 500
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 388
      4⤵
      Program crash
      PID:2256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 480
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 388
  2⤵
  - Program crash
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\services.ini

Filesize
84B

MD5
2dc22b48c3573ae4fbe08bc8e9993252

SHA1
2f7a162af95edbd8d60259398a214d6cc7616304

SHA256
36b0ad60bc3b319023e55cf52da4a01675fb272edf2f73e5e40d742ab60f1928

SHA512
0e028684ca9a52950966e64c00524da61dab56db4e04128d4d9addb223bfd9820c651fefa7335aed14ba01699408fa1cab9e30e781dea609d6f25d967befde00

Download Submit
C:\Windows\system\win32p.reg

Filesize
166B

MD5
dab814a1a5d56a751398f37970cbb4b6

SHA1
35a2adfb7566e048e3d5a0f8b3d0e24cffb50778

SHA256
dfc8ab18898ec12c7901976de0e60be0b955588116ed64505456aa303ed64673

SHA512
8d98e36fd5a2931944b4f12d98aa5f40036254eb149ede15c02bb2166ad09b75b79d68812ddaa4fe22abf4169804c12f83203cf8c45273d24e112044a66ea384

Download Submit
C:\spysilici.bat

Filesize
88B

MD5
92bb45e44e75f94c8b586d8149eb41fc

SHA1
158c6ec92ab009ef40febcefd0e602f89cf722db

SHA256
4c7364a9111b7fc49e1a5a93b0e7022f9c6cc783c59063136d0d921571285f44

SHA512
0510ee2f301e3cd3155e024e4c5684b80d40fe055bb8be21638fc3ad8dfb37d4af7803fdafdef11de3c20ca758a634847a19a5cb7dcdcef09e29737dbe8ee59c

Download Submit
\Windows\system\services.exe

Filesize
96KB

MD5
6249fd7a90df7d330ee971d249f61a28

SHA1
66a962df14bcbf70a5673af12ae566aee1ede7c4

SHA256
f7ff8a71437535d9b23c0e9a28466fa8e4e4333643a4fa474cdfefd1ef2a52d6

SHA512
c8b8ca43c44a977005f313e6469c15d7ac85f2554df7b5ab253577cba7b5995359baaf5fd8098bd2f0bf6293704463d60685c19a0f784937b7d041cae3470789

Download Submit
memory/316-177-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/316-178-0x0000000002640000-0x00000000026A1000-memory.dmp

Filesize
388KB

Download
memory/316-164-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/316-252-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/316-253-0x0000000002640000-0x00000000026A1000-memory.dmp

Filesize
388KB

Download
memory/784-94-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/784-191-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/784-207-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/784-208-0x0000000003EA0000-0x0000000003F01000-memory.dmp

Filesize
388KB

Download
memory/784-95-0x0000000003EA0000-0x0000000003F01000-memory.dmp

Filesize
388KB

Download
memory/784-82-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/1052-129-0x0000000002760000-0x00000000027C1000-memory.dmp

Filesize
388KB

Download
memory/1052-230-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/1052-231-0x0000000001F00000-0x0000000001F10000-memory.dmp

Filesize
64KB

Download
memory/1052-124-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/1372-247-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/1372-131-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/1372-148-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/1372-232-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/1372-149-0x0000000003EB0000-0x0000000003F11000-memory.dmp

Filesize
388KB

Download
memory/1808-222-0x0000000002CC0000-0x0000000002D21000-memory.dmp

Filesize
388KB

Download
memory/1808-223-0x0000000002CC0000-0x0000000002D21000-memory.dmp

Filesize
388KB

Download
memory/1808-221-0x0000000001D40000-0x0000000001D50000-memory.dmp

Filesize
64KB

Download
memory/1808-218-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/1856-239-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/1856-243-0x0000000002870000-0x00000000028D1000-memory.dmp

Filesize
388KB

Download
memory/1856-241-0x0000000002870000-0x00000000028D1000-memory.dmp

Filesize
388KB

Download
memory/1956-118-0x0000000002B40000-0x0000000002B50000-memory.dmp

Filesize
64KB

Download
memory/1956-228-0x0000000002B40000-0x0000000002B50000-memory.dmp

Filesize
64KB

Download
memory/1956-107-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/1956-119-0x0000000003E80000-0x0000000003EE1000-memory.dmp

Filesize
388KB

Download
memory/1956-211-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/1956-229-0x0000000003E80000-0x0000000003EE1000-memory.dmp

Filesize
388KB

Download
memory/2220-104-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/2220-209-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2220-210-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/2220-106-0x0000000002BB0000-0x0000000002C11000-memory.dmp

Filesize
388KB

Download
memory/2232-190-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/2232-81-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/2232-189-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2236-4-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2236-6-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2236-0-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2236-141-0x0000000004050000-0x00000000040B1000-memory.dmp

Filesize
388KB

Download
memory/2236-9-0x0000000000458000-0x0000000000460000-memory.dmp

Filesize
32KB

Download
memory/2236-23-0x0000000004050000-0x00000000040B1000-memory.dmp

Filesize
388KB

Download
memory/2236-10-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2236-140-0x0000000001D20000-0x0000000001D30000-memory.dmp

Filesize
64KB

Download
memory/2236-14-0x0000000001D20000-0x0000000001D30000-memory.dmp

Filesize
64KB

Download
memory/2236-142-0x0000000004050000-0x00000000040B1000-memory.dmp

Filesize
388KB

Download
memory/2236-5-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2236-25-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2236-17-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2236-2-0x0000000000458000-0x0000000000460000-memory.dmp

Filesize
32KB

Download
memory/2236-1-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2236-18-0x0000000004050000-0x00000000040B1000-memory.dmp

Filesize
388KB

Download
memory/2236-3-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2264-60-0x0000000002C50000-0x0000000002CB1000-memory.dmp

Filesize
388KB

Download
memory/2264-174-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2264-173-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2264-59-0x0000000002C50000-0x0000000002CB1000-memory.dmp

Filesize
388KB

Download
memory/2264-58-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2264-51-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2412-248-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2412-249-0x0000000003760000-0x00000000037C1000-memory.dmp

Filesize
388KB

Download
memory/2412-250-0x0000000001CD0000-0x0000000001CE0000-memory.dmp

Filesize
64KB

Download
memory/2412-154-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2412-161-0x0000000003760000-0x00000000037C1000-memory.dmp

Filesize
388KB

Download
memory/2412-251-0x0000000003760000-0x00000000037C1000-memory.dmp

Filesize
388KB

Download
memory/2412-159-0x0000000001CD0000-0x0000000001CE0000-memory.dmp

Filesize
64KB

Download
memory/2412-160-0x0000000003760000-0x00000000037C1000-memory.dmp

Filesize
388KB

Download
memory/2428-225-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2428-234-0x0000000001D00000-0x0000000001D10000-memory.dmp

Filesize
64KB

Download
memory/2428-235-0x0000000003F10000-0x0000000003F71000-memory.dmp

Filesize
388KB

Download
memory/2488-198-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2488-203-0x0000000002800000-0x0000000002861000-memory.dmp

Filesize
388KB

Download
memory/2488-202-0x0000000002800000-0x0000000002861000-memory.dmp

Filesize
388KB

Download
memory/2488-199-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2536-72-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download
memory/2536-175-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2600-194-0x0000000002C90000-0x0000000002CF1000-memory.dmp

Filesize
388KB

Download
memory/2600-185-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2600-193-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/2728-48-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/2728-38-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2728-145-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2728-172-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/2796-214-0x0000000003F20000-0x0000000003F81000-memory.dmp

Filesize
388KB

Download
memory/2796-213-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/2800-34-0x0000000001DC0000-0x0000000001DD0000-memory.dmp

Filesize
64KB

Download
memory/2800-144-0x0000000002740000-0x00000000027A1000-memory.dmp

Filesize
388KB

Download
memory/2800-143-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2800-35-0x0000000002740000-0x00000000027A1000-memory.dmp

Filesize
388KB

Download
memory/2800-27-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2844-184-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/2844-254-0x0000000000400000-0x0000000000460F90-memory.dmp

Filesize
387KB

Download
memory/2844-255-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download