Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 13:53
Static task
static1
Behavioral task
behavioral1
Sample
d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe
-
Size
145KB
-
MD5
d672b3a0263bddfa358dd126702b5bf9
-
SHA1
8eb2e79eb7dd7370ddb4a3c46fe85c39cf5f8937
-
SHA256
055c6ad96af409328ebe9a4e8ff7189e3a986508d32a2950223d6a1bc4afe98b
-
SHA512
82b1b9d54a9383b6e829d51e278f765d9489a426d98095cff821e2e9a57bb54079aed4aec830be87aa6f18f35aee41737967b389c0b08cce84ed2c71d14fe0cb
-
SSDEEP
3072:knN5HYBvjr5SM/yv7VDVKMOQg5H1i8fZ5Ys+iyXFm+GqVphIw:kNC5P5SwQDVKM0H1i8fZ5YxXFm+T
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
Exporer32.exeExplorer.exepid process 5036 Exporer32.exe 5104 Explorer.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Exporer32.exe upx behavioral2/memory/5036-21-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/5036-32-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\N: svchost.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe -
Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes svchost.exe -
Drops file in System32 directory 9 IoCs
Processes:
Exporer32.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\msjwtk.com Exporer32.exe File opened for modification C:\Windows\system32\wbem\repository svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe File created C:\Windows\SysWOW64\msjwtk.com Exporer32.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe -
Drops file in Windows directory 5 IoCs
Processes:
d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exeExporer32.exedescription ioc process File opened for modification C:\Windows\PCGWIN32.LI5 d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe File opened for modification C:\Windows\Explorer.exe Exporer32.exe File created C:\Windows\Explorer.exe Exporer32.exe File opened for modification C:\Windows\msagent\msoepr.com Exporer32.exe File created C:\Windows\msagent\msoepr.com Exporer32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exeExporer32.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Exporer32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exeExporer32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Exporer32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Exporer32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe -
Modifies registry class 6 IoCs
Processes:
d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\{F5C8E816-ED946921-EF56718E-8A012477} d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\{F5C8E816-ED946921-EF56718E-8A012477}\ = c293bbacacec476e50b798711eb423f062079bce1d37e43e5cc799d1a4e382050d70f4c78d91ab902a20abb78a81cca02b5aca9b13e55230eafb4c02680b6e32c8fd6c040b2d0a086b8b8a326d03a87acbbd354480cd5eebd895e4e091fcdf44d991a068d68daf88096c8cb5c8b34a8aca14eca38bddeda4d7109e6de6e8d0945e6da76891a9a8e80e0889ad8b97caaeca28ac93cbe5ad8008108da1ac11702403049e73d9c2a76c4e3557009e5be75d2124a8434c02098b4c0a0b75ea00f2d9c2a05cdce4e69dbfa739ce7828c5f54f73168ae1ad9397922ee2a9d49062e8e231fcccfa6a05524025ad602b6432ee7d484717e11e30a73711fe5406dd11a7dc5ee6673fbe863971fc00b91bfb9aba257c00444f6c56b71f01a6c02e4429a35072a1bb7ffa8644ee03483aee83f65ac0e57edfb99983dcb29a7c5bb962c7631e9ad91d1c181b5f1aa6e551dfe8d91463eda20b8a4a8b8b154aaccd962bd10a1335e2bc62068531ac44884c57f45e0fa7161ee1d9d3a0ede877f0ce8fe8298cb4f5c0ff4c793580ccb1894febb6f5cebc68060d8f14c9536faae933ef0ae9554bac9269a2a8bdcd074bce2aa815c9a0eb0d6d2888536da2941be1da17a3ee8508ec2d34f48dfe6b39d540effce987107195049c31e4742d41a830b543b3620ad5b363fa52825d7be442508b6dd2486ad7d3619d68640b13b25232130bd20aa293e525af6c36eb418d0c54896ff47640bf1bc61a2065903097a8ef29cc13159322aca66cde99b77f2257172e61642c558a7a98b36ed92eaf633c772186d87c9f9ea5b21216ebdf6d26b4118de48bc272f4bb4082f7baf143c7aa71b3c48dee74887d117868fb1545d030e8c9ec9768aeaf0889efa88950cca594af135662affaf6bb0085c32c75ab8cd27764be11b920bf810654bfe1c637ae3e09c74c3ef6398fc469ce57f69e3e2687ef4149eb54f56d8cb40a314d30144fd376edf10b3f72c6f53eb339b23c04bbe37da5388c3b347ab17b8ffa963a103d9338e5bb80454000684b4a32f4fb4cc576200fad565460d319dd60e7486111ec6cf64ab035fd4cc776a13f28464b31f5f84fc0492f77768efe0887d361552c5c0927744e715708ee9756d1116beccd8ab49340d5231c1ae55d006419fde447e22e1ae99baba5eab0ec3a56c5d1739f7a663d1f8426c06f52961d5018e4a7ce5197ebd10aa8f54c3074394cc4e8c035dcf0267e5f87e6918e586959346043873adebb26c5ef43492a50f3618afcd278dc47581ea75981589cdd2427e12e4309b294732cf237323e05b9ec7f2bf912fb2dfd8804737dc2842a402b8132d3b5120f9316522fe5960f5e16e6df31d908db175daea4699ecc992867cf8e69b6a88fa9096f8cb6d6b0504fe6b6b18187a30e729745ae9cf61bc0e250bdeac7adbeab38cabf2ab98dbcb778fe7c388581cf6716d19f24a611fed407eeae0857891e7359f524cfb3b6cdf06bccf5748c8fa889cd882b54ea9d74e7bd718404a22173b4b20eb529736c8297ac5155e3903ae9fd0b389279a2bcad446bee55e8a095fedf46d911a4ecd2d6eceeb5290fa8966ba0cabfec3996c4d170df7f5906a071870091a5103fd506535fa2a6ac4e6be852d66beeb2480bca32ec0dd4d423e0baf28544bf834695a16cb0b54ef0487c52fbadc5eb8375dac3e4ed70a88df274c48fbd96075e4e58f7a771013438f17b8782ee3488fd0dbb74ba0dc2c8f2954ce3abcd554befb2c98cebb52a0f8b964aaecd892b73eab212fc5539e08076ad41cb04327db53840bd07070e4e49e97773f13a4bc34d8d4bb48a3e2ab9cbbbad82d472927a5b7a22c26b42327cfd46fba105ef4049dff759be24462f6e76a97e37f8fe3b8602dfd599d320e5af53d6a2aeab694d089415d05c62992b63cab293cad50dacb40a7f6b06d25f9226addfebd9f5e77331ba787cb98504dfc1597fe3798a4772c17c6f46168f11295028953360c2a33cca476a8e157720fe5dc667ae2e17b76ecec87691cfafe9f68f3e16875171d3385d455b4f22c98d6b342a3d2b386abf8b060a3fcb064db1b47840f99fc7d9a163fcf5b8b00346a23fed464b6032fcfb78c540c3294d50c86af4f4f23d0cc4976061a3084d6ba855d0df58592163e855b1e3bf45063cef05697c88bbb07a87bb11baa0bc8605dfdcd966a3600a52b5e2b0138ad22b23b2728385ad4368f597cfaeb6483e48878ba10d8014621174987e62f8cc42ea3bf4c240dcfee6b91f8766dedee6999ea7e7fed1f89b40e2d39add65db4c25579c9e6627f0ce03a93acf3b96c26ec40923347281f20b74327e7b4645c020297fc80676ff81f9bffb863a30bd8584ffc279fac344fdfcb8b9007fa306cd6f4b6932d3fd658410a21713aed2365201952c6fcbc9f5d7cf9e291888998c9bb5da03da8a5a94dda39b6d5aa865d46c60b53bfc3a3a45fdac472bbed27962805acb5a15e4dc2f6616b1e1b417be1e47e75ef1a70cfe8b4652d1edebebb5f5f00ffa76babf034652bfeac6ab1eb5d9fc5b3aa2c36315aa6cad8b4b0a8a33cc3209cdec08741142d84424c20f25363ccfc5c9c313ed5a6be3f25dfa64826d1be8626a0d55e820d079d40062b9e203e21ae2255490915c5319dd64e770ae0fc8b6c80f89160f1176d001e8dccca6379f8ed977db0ea277243e5db9d8c75c8e25080049832c3af77b81c5cc5fea26b4cf03e95acb2355faefc4c91fb4660ece49a9f4577c5105a8ec0e94d79161db6422539de29812a2d323258a7ccbb95540e0ffd8f9a4c3c1158b502aa39552ace3b4253f10c6e19ffbd93aa4455ee366aa5eb4d8fd1b0722dec526c32f05369cf166f32f3d76b87e42c6ca4e1568102b196a982d27d45ee2e62b7eb2787d7a388547e34e7dd7381107e4ae4c68a9f474cccfb7293108b02b84aa8d6c37f6fe3f7806bd1fb8e67e0f46169fdf19d9e4df8019af5809d9945f9e26e731c17c77b9be0747deee5808a5d56c6feb9635510cd00926b0e17427330e32094388a21245238c7af77c3105bc40784407ec0e35573c6ec717d19e17189e5b98daa15c0b65d24c6ad793619a74a2717dc4b83e87c741614b6c5557a09e38d9fd1f87a68e5ec8d8f4e6429f9bd99d9ca418625da524b3af72297514706181b8ec782ac0f5e60fa136033172b4330cb217f21e44992d67f4f1fc08fa337a0afa95fa20bd1fc766e15198ece074e843977ae1bbbcc27a6405cf30a97968bc117b24ba91bd2087411ed7a7aefeb646f131cff869c6d0de9e66999fe766d1dfacd9149f9326e58153d8e5a4e33db28404a371e534108f97295e6827f75eb15988d8365eb127cfee49f610f01f46a6a15084218c2029738c82b73381f230838bf5aa80d244131d9a585d1924a473cd42970b6eaa29d268951163902218631f022693bfd2395404d371a5bc60386103401ad5a35f6d66d7012ebcd7c6517eacf894bdaf8749ee6f36b6bf3079f338bd45f853c0dd6e67973e9e07586e5cb7993e1b07da2e5ab79b0e9a175a1e5ca7a56e13f7eaf154fb5105585c99a7207ed1b96fc0496e73d78ad132d73d5144a09f8b594d9cb49ab05b819a1fdba65da024dfd3d9dd63dbaa6575dccca634af0de9e8ef17492e88178a9e d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\{F5C8E816-ED946921-EF56718E-8A012477}\ = 641a1a6cacec476e50b798711eb423f062079bce1d37e43e5cc799d1a4e382050d70f4c78d91ab902a20abb78a81cca02b5aca9b13e55230eafb4c02680b6e32c8fd6c040b2d0a086b8b8a326d03a87acbbd354480cd5eebd895e4e091fcdf44d991a068d68daf88096c8cb5c8b34a8aca14eca38bddeda4d7109e6de6e8d0945e6da76891a9a8e80e0889ad8b97caaeca28ac93cbe5ad8008108da188f38cb204049e73d9c2a76c4e3557009e5be75d2124a8434c02098b4c0a0b75ea00f2d9c2a05cdce4e69dbfa739ce7828c5f54f73168ae1ad9397922ee2a9d49062e8e231fcccfa6a05524025ad602b6432ee7d484717e11e30a73711fe5406dd11a7dc5ee6673fbe863971fc00b91bfb9aba257c00444f6c56b71f01a6c02e4429a35072a1bb7ffa8644ee03483aee83f65ac0e57edfb99983dcb29a7c5bb962c7631e9ad91d1c181b5f1aa6e551dfe8d91463eda20b8a4a8b8b154aaccd962bd10a1335e2bc62068531ac44884c57f45e0fa7161ee1d9d3a0ede877f0ce8fe8298cb4f5c0ff4c793580ccb1894febb6f5cebc68060d8f14c9536faae933ef0ae9554bac9269a2a8bdcd074bce2aa815c9a0eb0d6d2888536da2941be1da17a3ee8508ec2d34f48dfe6b39d540effce987107195049c31e4742d41a830b543b3620ad5b363fa52825d7be442508b6dd2486ad7d3619d68640b13b25232130bd20aa293e525af6c36eb418d0c54896ff47640bf1bc61a2065903097a8ef29cc13159322aca66cde99b77f2257172e61642c558a7a98b36ed92eaf633c772186d87c9f9ea5b21216ebdf6d26b4118de48bc272f4bb4082f7baf143c7aa71b3c48dee74887d117868fb1545d030e8c9ec9768aeaf0889efa88950cca594af135662affaf6bb0085c32c75ab8cd27764be11b920bf810654bfe1c637ae3e09c74c3ef6398fc469ce57f69e3e2687ef4149eb54f56d8cb40a314d30144fd376edf10b3f72c6f53eb339b23c04bbe37da5388c3b347ab17b8ffa963a103d9338e5bb80454000684b4a32f4fb4cc576200fad565460d319dd60e7486111ec6cf64ab035fd4cc776a13f28464b31f5f84fc0492f77768efe0887d361552c5c0927744e715708ee9756d1116beccd8ab49340d5231c1ae55d006419fde447e22e1ae99baba5eab0ec3a56c5d1739f7a663d1f8426c06f52961d5018e4a7ce5197ebd10aa8f54c3074394cc4e8c035dcf0267e5f87e6918e586959346043873adebb26c5ef43492a50f3618afcd278dc47581ea75981589cdd2427e12e4309b294732cf237323e05b9ec7f2bf912fb2dfd8804737dc2842a402b8132d3b5120f9316522fe5960f5e16e6df31d908db175daea4699ecc992867cf8e69b6a88fa9096f8cb6d6b0504fe6b6b18187a30e729745ae9cf61bc0e250bdeac7adbeab38cabf2ab98dbcb778fe7c388581cf6716d19f24a611fed407eeae0857891e7359f524cfb3b6cdf06bccf5748c8fa889cd882b54ea9d74e7bd718404a22173b4b20eb529736c8297ac5155e3903ae9fd0b389279a2bcad446bee55e8a095fedf46d911a4ecd2d6eceeb5290fa8966ba0cabfec3996c4d170df7f5906a071870091a5103fd506535fa2a6ac4e6be852d66beeb2480bca32ec0dd4d423e0baf28544bf834695a16cb0b54ef0487c52fbadc5eb8375dac3e4ed70a88df274c48fbd96075e4e58f7a771013438f17b8782ee3488fd0dbb74ba0dc2c8f2954ce3abcd554befb2c98cebb52a0f8b964aaecd892b73eab212fc5539e08076ad41cb04327db53840bd07070e4e49e97773f13a4bc34d8d4bb48a3e2ab9cbbbad82d472927a5b7a22c26b42327cfd46fba105ef4049dff759be24462f6e76a97e37f8fe3b8602dfd599d320e5af53d6a2aeab694d089415d05c62992b63cab293cad50dacb40a7f6b06d25f9226addfebd9f5e77331ba787cb98504dfc1597fe3798a4772c17c6f46168f11295028953360c2a33cca476a8e157720fe5dc667ae2e17b76ecec87691cfafe9f68f3e16875171d3385d455b4f22c98d6b342a3d2b386abf8b060a3fcb064db1b47840f99fc7d9a163fcf5b8b00346a23fed464b6032fcfb78c540c3294d50c86af4f4f23d0cc4976061a3084d6ba855d0df58592163e855b1e3bf45063cef05697c88bbb07a87bb11baa0bc8605dfdcd966a3600a52b5e2b0138ad22b23b2728385ad4368f597cfaeb6483e48878ba10d8014621174987e62f8cc42ea3bf4c240dcfee6b91f8766dedee6999ea7e7fed1f89b40e2d39add65db4c25579c9e6627f0ce03a93acf3b96c26ec40923347281f20b74327e7b4645c020297fc80676ff81f9bffb863a30bd8584ffc279fac344fdfcb8b9007fa306cd6f4b6932d3fd658410a21713aed2365201952c6fcbc9f5d7cf9e291888998c9bb5da03da8a5a94dda39b6d5aa865d46c60b53bfc3a3a45fdac472bbed27962805acb5a15e4dc2f6616b1e1b417be1e47e75ef1a70cfe8b4652d1edebebb5f5f00ffa76babf034652bfeac6ab1eb5d9fc5b3aa2c36315aa6cad8b4b0a8a33cc3209cdec08741142d84424c20f25363ccfc5c9c313ed5a6be3f25dfa64826d1be8626a0d55e820d079d40062b9e203e21ae2255490915c5319dd64e770ae0fc8b6c80f89160f1176d001e8dccca6379f8ed977db0ea277243e5db9d8c75c8e25080049832c3af77b81c5cc5fea26b4cf03e95acb2355faefc4c91fb4660ece49a9f4577c5105a8ec0e94d79161db6422539de29812a2d323258a7ccbb95540e0ffd8f9a4c3c1158b502aa39552ace3b4253f10c6e19ffbd93aa4455ee366aa5eb4d8fd1b0722dec526c32f05369cf166f32f3d76b87e42c6ca4e1568102b196a982d27d45ee2e62b7eb2787d7a388547e34e7dd7381107e4ae4c68a9f474cccfb7293108b02b84aa8d6c37f6fe3f7806bd1fb8e67e0f46169fdf19d9e4df8019af5809d9945f9e26e731c17c77b9be0747deee5808a5d56c6feb9635510cd00926b0e17427330e32094388a21245238c7af77c3105bc40784407ec0e35573c6ec717d19e17189e5b98daa15c0b65d24c6ad793619a74a2717dc4b83e87c741614b6c5557a09e38d9fd1f87a68e5ec8d8f4e6429f9bd99d9ca418625da524b3af72297514706181b8ec782ac0f5e60fa136033172b4330cb217f21e44992d67f4f1fc08fa337a0afa95fa20bd1fc766e15198ece074e843977ae1bbbcc27a6405cf30a97968bc117b24ba91bd2087411ed7a7aefeb646f131cff869c6d0de9e66999fe766d1dfacd9149f9326e58153d8e5a4e33db28404a371e534108f97295e6827f75eb15988d8365eb127cfee49f610f01f46a6a15084218c2029738c82b73381f230838bf5aa80d244131d9a585d1924a473cd42970b6eaa29d268951163902218631f022693bfd2395404d371a5bc60386103401ad5a35f6d66d7012ebcd7c6517eacf894bdaf8749ee6f36b6bf3079f338bd45f853c0dd6e67973e9e07586e5cb7993e1b07da2e5ab79b0e9a175a1e5ca7a56e13f7eaf154fb5105585c99a7207ed1b96fc0496e73d78ad132d73d5144a09f8b594d9cb49ab05b819a1fdba65da024dfd3d9dd63dbaa6575dccca634af0de9e8ef17492e88178a9e d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\{D50DBC70-EDF2330C-38FF8F7C} d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\{D50DBC70-EDF2330C-38FF8F7C}\ = "3894350623" d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\{F5C8E816-ED946921-EF56718E-8A012477}\ = 29036989acec476e50b798711eb423f062079bce0224fbd65cc799d1a4e382050d70f4c78d91ab902a20abb78a81cca02b5aca9b13e55230eafb4c02680b6e32c8fd6c040b2d0a086b8b8a326d03a87acbbd354480cd5eebd895e4e091fcdf44d991a068d68daf88096c8cb5c8b34a8aca14eca38bddeda4d7109e6de6e8d0945e6da76891a9a8e80e0889ad8b97caaeca28ac93cbe5ad8008108da188f38cb204049e73d9c2a76c4e3557009e5be75d2124a8434c02098b4c0a0b75ea00f2d9c2a05cdce4e69dbfa739ce7828c5f54f73168ae1ad9397922ee2a9d49062e8e231fcccfa6a05524025ad602b6432ee7d484717e11e30a73711fe5406dd11a7dc5ee6673fbe863971fc00b91bfb9aba257c00444f6c56b71f01a6c02e4429a35072a1bb7ffa8644ee03483aee83f65ac0e57edfb99983dcb29a7c5bb962c7631e9ad91d1c181b5f1aa6e551dfe8d91463eda20b8a4a8b8b154aaccd962bd10a1335e2bc62068531ac44884c57f45e0fa7161ee1d9d3a0ede877f0ce8fe8298cb4f5c0ff4c793580ccb1894febb6f5cebc68060d8f14c9536faae933ef0ae9554bac9269a2a8bdcd074bce2aa815c9a0eb0d6d2888536da2941be1da17a3ee8508ec2d34f48dfe6b39d540effce987107195049c31e4742d41a830b543b3620ad5b363fa52825d7be442508b6dd2486ad7d3619d68640b13b25232130bd20aa293e525af6c36eb418d0c54896ff47640bf1bc61a2065903097a8ef29cc13159322aca66cde99b77f2257172e61642c558a7a98b36ed92eaf633c772186d87c9f9ea5b21216ebdf6d26b4118de48bc272f4bb4082f7baf143c7aa71b3c48dee74887d117868fb1545d030e8c9ec9768aeaf0889efa88950cca594af135662affaf6bb0085c32c75ab8cd27764be11b920bf810654bfe1c637ae3e09c74c3ef6398fc469ce57f69e3e2687ef4149eb54f56d8cb40a314d30144fd376edf10b3f72c6f53eb339b23c04bbe37da5388c3b347ab17b8ffa963a103d9338e5bb80454000684b4a32f4fb4cc576200fad565460d319dd60e7486111ec6cf64ab035fd4cc776a13f28464b31f5f84fc0492f77768efe0887d361552c5c0927744e715708ee9756d1116beccd8ab49340d5231c1ae55d006419fde447e22e1ae99baba5eab0ec3a56c5d1739f7a663d1f8426c06f52961d5018e4a7ce5197ebd10aa8f54c3074394cc4e8c035dcf0267e5f87e6918e586959346043873adebb26c5ef43492a50f3618afcd278dc47581ea75981589cdd2427e12e4309b294732cf237323e05b9ec7f2bf912fb2dfd8804737dc2842a402b8132d3b5120f9316522fe5960f5e16e6df31d908db175daea4699ecc992867cf8e69b6a88fa9096f8cb6d6b0504fe6b6b18187a30e729745ae9cf61bc0e250bdeac7adbeab38cabf2ab98dbcb778fe7c388581cf6716d19f24a611fed407eeae0857891e7359f524cfb3b6cdf06bccf5748c8fa889cd882b54ea9d74e7bd718404a22173b4b20eb529736c8297ac5155e3903ae9fd0b389279a2bcad446bee55e8a095fedf46d911a4ecd2d6eceeb5290fa8966ba0cabfec3996c4d170df7f5906a071870091a5103fd506535fa2a6ac4e6be852d66beeb2480bca32ec0dd4d423e0baf28544bf834695a16cb0b54ef0487c52fbadc5eb8375dac3e4ed70a88df274c48fbd96075e4e58f7a771013438f17b8782ee3488fd0dbb74ba0dc2c8f2954ce3abcd554befb2c98cebb52a0f8b964aaecd892b73eab212fc5539e08076ad41cb04327db53840bd07070e4e49e97773f13a4bc34d8d4bb48a3e2ab9cbbbad82d472927a5b7a22c26b42327cfd46fba105ef4049dff759be24462f6e76a97e37f8fe3b8602dfd599d320e5af53d6a2aeab694d089415d05c62992b63cab293cad50dacb40a7f6b06d25f9226addfebd9f5e77331ba787cb98504dfc1597fe3798a4772c17c6f46168f11295028953360c2a33cca476a8e157720fe5dc667ae2e17b76ecec87691cfafe9f68f3e16875171d3385d455b4f22c98d6b342a3d2b386abf8b060a3fcb064db1b47840f99fc7d9a163fcf5b8b00346a23fed464b6032fcfb78c540c3294d50c86af4f4f23d0cc4976061a3084d6ba855d0df58592163e855b1e3bf45063cef05697c88bbb07a87bb11baa0bc8605dfdcd966a3600a52b5e2b0138ad22b23b2728385ad4368f597cfaeb6483e48878ba10d8014621174987e62f8cc42ea3bf4c240dcfee6b91f8766dedee6999ea7e7fed1f89b40e2d39add65db4c25579c9e6627f0ce03a93acf3b96c26ec40923347281f20b74327e7b4645c020297fc80676ff81f9bffb863a30bd8584ffc279fac344fdfcb8b9007fa306cd6f4b6932d3fd658410a21713aed2365201952c6fcbc9f5d7cf9e291888998c9bb5da03da8a5a94dda39b6d5aa865d46c60b53bfc3a3a45fdac472bbed27962805acb5a15e4dc2f6616b1e1b417be1e47e75ef1a70cfe8b4652d1edebebb5f5f00ffa76babf034652bfeac6ab1eb5d9fc5b3aa2c36315aa6cad8b4b0a8a33cc3209cdec08741142d84424c20f25363ccfc5c9c313ed5a6be3f25dfa64826d1be8626a0d55e820d079d40062b9e203e21ae2255490915c5319dd64e770ae0fc8b6c80f89160f1176d001e8dccca6379f8ed977db0ea277243e5db9d8c75c8e25080049832c3af77b81c5cc5fea26b4cf03e95acb2355faefc4c91fb4660ece49a9f4577c5105a8ec0e94d79161db6422539de29812a2d323258a7ccbb95540e0ffd8f9a4c3c1158b502aa39552ace3b4253f10c6e19ffbd93aa4455ee366aa5eb4d8fd1b0722dec526c32f05369cf166f32f3d76b87e42c6ca4e1568102b196a982d27d45ee2e62b7eb2787d7a388547e34e7dd7381107e4ae4c68a9f474cccfb7293108b02b84aa8d6c37f6fe3f7806bd1fb8e67e0f46169fdf19d9e4df8019af5809d9945f9e26e731c17c77b9be0747deee5808a5d56c6feb9635510cd00926b0e17427330e32094388a21245238c7af77c3105bc40784407ec0e35573c6ec717d19e17189e5b98daa15c0b65d24c6ad793619a74a2717dc4b83e87c741614b6c5557a09e38d9fd1f87a68e5ec8d8f4e6429f9bd99d9ca418625da524b3af72297514706181b8ec782ac0f5e60fa136033172b4330cb217f21e44992d67f4f1fc08fa337a0afa95fa20bd1fc766e15198ece074e843977ae1bbbcc27a6405cf30a97968bc117b24ba91bd2087411ed7a7aefeb646f131cff869c6d0de9e66999fe766d1dfacd9149f9326e58153d8e5a4e33db28404a371e534108f97295e6827f75eb15988d8365eb127cfee49f610f01f46a6a15084218c2029738c82b73381f230838bf5aa80d244131d9a585d1924a473cd42970b6eaa29d268951163902218631f022693bfd2395404d371a5bc60386103401ad5a35f6d66d7012ebcd7c6517eacf894bdaf8749ee6f36b6bf3079f338bd45f853c0dd6e67973e9e07586e5cb7993e1b07da2e5ab79b0e9a175a1e5ca7a56e13f7eaf154fb5105585c99a7207ed1b96fc0496e73d78ad132d73d5144a09f8b594d9cb49ab05b819a1fdba65da024dfd3d9dd63dbaa6575dccca634af0de9e8ef17492e88178a9e d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Exporer32.exepid process 5036 Exporer32.exe 5036 Exporer32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Exporer32.exesvchost.exesvchost.exedescription pid process Token: SeIncreaseQuotaPrivilege 5036 Exporer32.exe Token: SeSecurityPrivilege 5036 Exporer32.exe Token: SeTakeOwnershipPrivilege 5036 Exporer32.exe Token: SeLoadDriverPrivilege 5036 Exporer32.exe Token: SeSystemProfilePrivilege 5036 Exporer32.exe Token: SeSystemtimePrivilege 5036 Exporer32.exe Token: SeProfSingleProcessPrivilege 5036 Exporer32.exe Token: SeIncBasePriorityPrivilege 5036 Exporer32.exe Token: SeCreatePagefilePrivilege 5036 Exporer32.exe Token: SeBackupPrivilege 5036 Exporer32.exe Token: SeRestorePrivilege 5036 Exporer32.exe Token: SeShutdownPrivilege 5036 Exporer32.exe Token: SeDebugPrivilege 5036 Exporer32.exe Token: SeSystemEnvironmentPrivilege 5036 Exporer32.exe Token: SeRemoteShutdownPrivilege 5036 Exporer32.exe Token: SeUndockPrivilege 5036 Exporer32.exe Token: SeManageVolumePrivilege 5036 Exporer32.exe Token: 33 5036 Exporer32.exe Token: 34 5036 Exporer32.exe Token: 35 5036 Exporer32.exe Token: 36 5036 Exporer32.exe Token: SeBackupPrivilege 1840 svchost.exe Token: SeRestorePrivilege 1840 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2072 svchost.exe Token: SeIncreaseQuotaPrivilege 2072 svchost.exe Token: SeSecurityPrivilege 2072 svchost.exe Token: SeTakeOwnershipPrivilege 2072 svchost.exe Token: SeLoadDriverPrivilege 2072 svchost.exe Token: SeSystemtimePrivilege 2072 svchost.exe Token: SeBackupPrivilege 2072 svchost.exe Token: SeRestorePrivilege 2072 svchost.exe Token: SeShutdownPrivilege 2072 svchost.exe Token: SeSystemEnvironmentPrivilege 2072 svchost.exe Token: SeUndockPrivilege 2072 svchost.exe Token: SeManageVolumePrivilege 2072 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2072 svchost.exe Token: SeIncreaseQuotaPrivilege 2072 svchost.exe Token: SeSecurityPrivilege 2072 svchost.exe Token: SeTakeOwnershipPrivilege 2072 svchost.exe Token: SeLoadDriverPrivilege 2072 svchost.exe Token: SeSystemtimePrivilege 2072 svchost.exe Token: SeBackupPrivilege 2072 svchost.exe Token: SeRestorePrivilege 2072 svchost.exe Token: SeShutdownPrivilege 2072 svchost.exe Token: SeSystemEnvironmentPrivilege 2072 svchost.exe Token: SeUndockPrivilege 2072 svchost.exe Token: SeManageVolumePrivilege 2072 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2072 svchost.exe Token: SeIncreaseQuotaPrivilege 2072 svchost.exe Token: SeSecurityPrivilege 2072 svchost.exe Token: SeTakeOwnershipPrivilege 2072 svchost.exe Token: SeLoadDriverPrivilege 2072 svchost.exe Token: SeSystemtimePrivilege 2072 svchost.exe Token: SeBackupPrivilege 2072 svchost.exe Token: SeRestorePrivilege 2072 svchost.exe Token: SeShutdownPrivilege 2072 svchost.exe Token: SeSystemEnvironmentPrivilege 2072 svchost.exe Token: SeUndockPrivilege 2072 svchost.exe Token: SeManageVolumePrivilege 2072 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2072 svchost.exe Token: SeIncreaseQuotaPrivilege 2072 svchost.exe Token: SeSecurityPrivilege 2072 svchost.exe Token: SeTakeOwnershipPrivilege 2072 svchost.exe Token: SeLoadDriverPrivilege 2072 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exepid process 2232 d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exeExporer32.exedescription pid process target process PID 2232 wrote to memory of 5036 2232 d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe Exporer32.exe PID 2232 wrote to memory of 5036 2232 d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe Exporer32.exe PID 2232 wrote to memory of 5036 2232 d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe Exporer32.exe PID 5036 wrote to memory of 5104 5036 Exporer32.exe Explorer.exe PID 5036 wrote to memory of 5104 5036 Exporer32.exe Explorer.exe PID 5036 wrote to memory of 2296 5036 Exporer32.exe cmd.exe PID 5036 wrote to memory of 2296 5036 Exporer32.exe cmd.exe PID 5036 wrote to memory of 2296 5036 Exporer32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
- Remote Services: SMB/Windows Admin Shares
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Exporer32.exeFilesize
33KB
MD57e379619ddab7417a5b3a8a73b2c1177
SHA15a3977aff043e26f75ae369e8aaa3f9fd3b5c450
SHA256a02d3199707b973a3ebaa57b957ef9ea605a1998b844ede23289cd39a28a28a1
SHA512518db5b4bbaddc942110819b7a23145355b00c73fd02be2e4767835f35eada059e3aabe1565491b1efc5130344f6ddfd509f8719c3d824c27a0caad854d4bfe2
-
C:\Windows\explorer.exeFilesize
4.6MB
MD530decee483a8196b30643ec6a453a7de
SHA192266131aff3595c5a95d3aa23c9e40c85d5f982
SHA2563dc254ad131a691acb1f9e3a5bb5ca5b3ea891869e516f4b3580ea4fcfdf2e76
SHA512a8f370c060223d4c2985ac16e78547779e584020e95428e85b497464fc487611d7b080908f904c11aa93bc7b56ec102845fbb6554d97dcba7fdc856c93087f00
-
memory/2232-0-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2232-1-0x0000000002160000-0x0000000002177000-memory.dmpFilesize
92KB
-
memory/2232-25-0x0000000002160000-0x0000000002177000-memory.dmpFilesize
92KB
-
memory/2232-24-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4024-34-0x00000271D8D60000-0x00000271D8D70000-memory.dmpFilesize
64KB
-
memory/4024-40-0x00000271D9340000-0x00000271D9350000-memory.dmpFilesize
64KB
-
memory/5036-21-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/5036-32-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB