Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10/09/2024, 18:23
Static task
static1
Behavioral task
behavioral1
Sample
d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe
-
Size
657KB
-
MD5
d8cab9f0e1d8aa81e904fd511fd4db06
-
SHA1
c8f507e1184466db73e15d1ad73328b3a747c026
-
SHA256
3d99f295aeceacdb62e59c0728e3348f94a4261a1accbe672e3d04c9d7e2365a
-
SHA512
c0e094690be06e12937bd9b3279169864cf9066cd9b18449d36151a9704d13fa0c5caeb675358c1abcf1d78fc7431651a1b0211b1534a0333736ec5c7095450a
-
SSDEEP
12288:Cl2YX3TdtLW5WIj1YSSdFxsBSXyMzBUWb9lx/9AgHLo8OW+rBj:CkcDsj1dEcBcJ9nPx/igrp+1
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x000700000002342f-37.dat family_ardamax -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe regsvr.exe" d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe -
Renames multiple (216) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe -
resource yara_rule behavioral2/files/0x000b000000023387-16.dat aspack_v212_v242 -
Executes dropped EXE 3 IoCs
pid Process 4508 Logo1_.exe 3984 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2192 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Msn Messsenger = "C:\\Windows\\system32\\regsvr.exe" d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost Agent = "C:\\Windows\\SysWOW64\\28463\\svchost.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" Logo1_.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\g: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\j: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\u: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\v: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\p: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\a: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\k: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\z: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\l: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\n: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\q: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\t: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\y: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\b: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\r: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\w: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\h: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\i: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\m: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\o: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\s: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\x: d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened (read-only) \??\L: Logo1_.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3984-74-0x0000000000400000-0x00000000004BB000-memory.dmp autoit_exe behavioral2/memory/3984-75-0x0000000000400000-0x00000000004BB000-memory.dmp autoit_exe behavioral2/memory/3984-76-0x0000000000400000-0x00000000004BB000-memory.dmp autoit_exe behavioral2/memory/3984-756-0x0000000000400000-0x00000000004BB000-memory.dmp autoit_exe behavioral2/memory/3984-827-0x0000000000400000-0x00000000004BB000-memory.dmp autoit_exe behavioral2/memory/3984-828-0x0000000000400000-0x00000000004BB000-memory.dmp autoit_exe behavioral2/memory/3984-829-0x0000000000400000-0x00000000004BB000-memory.dmp autoit_exe behavioral2/memory/3984-830-0x0000000000400000-0x00000000004BB000-memory.dmp autoit_exe behavioral2/memory/3984-831-0x0000000000400000-0x00000000004BB000-memory.dmp autoit_exe behavioral2/memory/3984-832-0x0000000000400000-0x00000000004BB000-memory.dmp autoit_exe behavioral2/memory/3984-833-0x0000000000400000-0x00000000004BB000-memory.dmp autoit_exe behavioral2/memory/3984-834-0x0000000000400000-0x00000000004BB000-memory.dmp autoit_exe behavioral2/memory/3984-835-0x0000000000400000-0x00000000004BB000-memory.dmp autoit_exe behavioral2/memory/3984-836-0x0000000000400000-0x00000000004BB000-memory.dmp autoit_exe behavioral2/memory/3984-837-0x0000000000400000-0x00000000004BB000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\setting.ini d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File created C:\Windows\SysWOW64\28463\svchost.001 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\svchost .exe d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\28463\svchost.exe d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\28463\svchost.001 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\regsvr.exe d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File created C:\Windows\SysWOW64\svchost .exe d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\28463 svchost.exe File created C:\Windows\SysWOW64\setting.ini d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\28463 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File created C:\Windows\SysWOW64\28463\svchost.exe d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File created C:\Windows\SysWOW64\regsvr.exe d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\setup.ini d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe.Exe Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateOnDemand.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe.Exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Logo1_.exe File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.Exe Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe.Exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.195.15\MicrosoftEdgeUpdateSetup_X86_1.3.195.15.exe.Exe Logo1_.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe.Exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\bin\javap.exe.Exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateBroker.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe.Exe Logo1_.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe Logo1_.exe File created C:\Program Files\Java\jre-1.8\bin\java-rmi.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.Exe Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE.Exe Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE.Exe Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe.Exe Logo1_.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe.Exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateSetup.exe.Exe Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe.Exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.exe Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe.Exe Logo1_.exe File created C:\Program Files\Java\jre-1.8\bin\orbd.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.Exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.Exe Logo1_.exe File created C:\Program Files\Microsoft Office\root\Client\AppVLP.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82468\javaw.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe.Exe Logo1_.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\uninstall\rundl132.exe d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File created C:\Windows\Logo1_.exe d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File created C:\Windows\regsvr.exe d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened for modification C:\Windows\regsvr.exe d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe File opened for modification C:\Windows\uninstall\rundl132.exe Logo1_.exe File created C:\Windows\RichDll.dll Logo1_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe 4508 Logo1_.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2192 svchost.exe Token: SeIncBasePriorityPrivilege 2192 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2192 svchost.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2156 wrote to memory of 1592 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 82 PID 2156 wrote to memory of 1592 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 82 PID 2156 wrote to memory of 1592 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 82 PID 1592 wrote to memory of 4596 1592 net.exe 84 PID 1592 wrote to memory of 4596 1592 net.exe 84 PID 1592 wrote to memory of 4596 1592 net.exe 84 PID 2156 wrote to memory of 2280 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 88 PID 2156 wrote to memory of 2280 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 88 PID 2156 wrote to memory of 2280 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 88 PID 2156 wrote to memory of 4508 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 90 PID 2156 wrote to memory of 4508 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 90 PID 2156 wrote to memory of 4508 2156 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 90 PID 4508 wrote to memory of 3736 4508 Logo1_.exe 91 PID 4508 wrote to memory of 3736 4508 Logo1_.exe 91 PID 4508 wrote to memory of 3736 4508 Logo1_.exe 91 PID 3736 wrote to memory of 2616 3736 net.exe 93 PID 3736 wrote to memory of 2616 3736 net.exe 93 PID 3736 wrote to memory of 2616 3736 net.exe 93 PID 2280 wrote to memory of 3984 2280 cmd.exe 94 PID 2280 wrote to memory of 3984 2280 cmd.exe 94 PID 2280 wrote to memory of 3984 2280 cmd.exe 94 PID 3984 wrote to memory of 2192 3984 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 95 PID 3984 wrote to memory of 2192 3984 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 95 PID 3984 wrote to memory of 2192 3984 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 95 PID 3984 wrote to memory of 1868 3984 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 96 PID 3984 wrote to memory of 1868 3984 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 96 PID 3984 wrote to memory of 1868 3984 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 96 PID 1868 wrote to memory of 1356 1868 cmd.exe 99 PID 1868 wrote to memory of 1356 1868 cmd.exe 99 PID 1868 wrote to memory of 1356 1868 cmd.exe 99 PID 3984 wrote to memory of 3644 3984 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 100 PID 3984 wrote to memory of 3644 3984 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 100 PID 3984 wrote to memory of 3644 3984 d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe 100 PID 3644 wrote to memory of 8 3644 cmd.exe 102 PID 3644 wrote to memory of 8 3644 cmd.exe 102 PID 3644 wrote to memory of 8 3644 cmd.exe 102 PID 4508 wrote to memory of 976 4508 Logo1_.exe 103 PID 4508 wrote to memory of 976 4508 Logo1_.exe 103 PID 4508 wrote to memory of 976 4508 Logo1_.exe 103 PID 976 wrote to memory of 3792 976 net.exe 105 PID 976 wrote to memory of 3792 976 net.exe 105 PID 976 wrote to memory of 3792 976 net.exe 105 PID 4508 wrote to memory of 3436 4508 Logo1_.exe 56 PID 4508 wrote to memory of 3436 4508 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:4596
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7F61.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe"4⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\28463\svchost.exeC:\Windows\system32\28463\svchost.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2192
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
- System Location Discovery: System Language Discovery
PID:1356
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\svchost .exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\svchost .exe6⤵
- System Location Discovery: System Language Discovery
PID:8
-
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2616
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:3792
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
598KB
MD5fc105fe20ce7de74e2e70cc75609641d
SHA1b0fb4e85aa39ddde22dc6b74d293b52829bf3a88
SHA256da10d63d0cf739b0e15ed22c3d5b809d7eb60b3726473a8b6b962739318ef11c
SHA512b178a0c6fa3e1153ec0b5064f782bbcc71ab1607c4ea1e6df1d258f41be31b2d5198485c945c07cb6ce6ab76b3844900193c10546967403945b8dc55bc8add14
-
Filesize
614B
MD57c6f42bccb345c62dcfd66b522f3a1c2
SHA1f81c07405bc958763f5293a0264fc2b303212058
SHA2565540c663f34e48d090eba6a7c47f541c513bfc014de250d7a484f50938ffe979
SHA512dbc70fada82ee5a6a4cef4dc0370d7ab1a053c7a97b7864a1564b7a10a2c1a268771486d1783bc85a468bcea8229bc6ad30089561fa752f855860b3cc35c67f1
-
Filesize
602KB
MD5ad98a35fa9b7808c3ec9008d628cff27
SHA1fc6c9b0e9a9d0fb6f59165564331045fd12ff7f5
SHA256ba4f73899cc8cb4b8fcc97eff5cb0d1f4ec6fd60c2de6ed57f1d40dc9fd0f28a
SHA51227de9feded864d1d9fb1b261e559751a31b897de555ebcda384d96102ee9991bdaa6c7ad691b958e9120e8098b715a43c3cac2131e4938a428c0e75ef669c2f6
-
Filesize
54KB
MD568d9f79334a728b64d4fb7118ca9ed44
SHA168fd2b791a55cfc8ae6a59fd0c710016e7ddae68
SHA256cd5d6a9067696241fc09aed06561bf2f57ec3a7547e06a0924b1e1e68279b783
SHA512e9859b0a6f8ce15c9935a7b2f68087f0347ce19ea58eb31f31e697889a14a43ec5547649c1ad085adecdb5cb78fa35514e47653a341240c0fd20aa8970bbce58
-
Filesize
2KB
MD5c427f41a9eb12166c278da8fed8a0c4a
SHA1e0e1d1c8f6b58675a544f1461997cfc37a2e6c63
SHA256ee74d1ba7e74e916f57ac4134aa5aa6eb7f920e7dae3b4cdb75af9225da616c6
SHA512ea2e49983e04afaa0eec5b28eeed1e9c804326b49933e69962805c10a405cb7dd87061e50355f395e74107cb6ca674d4c8c0000ef13505ec58b1d7dec873aa85
-
Filesize
513KB
MD50c7a714b8e1d2ead2afc90dcc43bbe18
SHA166736613f22771f5da5606ed8c80b572b3f5c103
SHA256800bdf00e09f302a17e22d26dffbea037e3c077ef9f6d1d585c114f079397a9e
SHA51235db0de86c168eb6302dcbaa1e1f9ec96b5a8814e7067e1a7bb682e9f35fc06c51148a08e6f7df1e8caeb2effde555c53966a8922e8fef6b7ce194dc81c984b4
-
Filesize
2B
MD5e0aa021e21dddbd6d8cecec71e9cf564
SHA19ce3bd4224c8c1780db56b4125ecf3f24bf748b7
SHA256565339bc4d33d72817b583024112eb7f5cdf3e5eef0252d6ec1b9c9a94e12bb3
SHA512900110c951560eff857b440e89cc29f529416e0e3b3d7f0ad51651bfdbd8025b91768c5ed7db5352d1a5523354ce06ced2c42047e33a3e958a1bba5f742db874
-
Filesize
96B
MD59ece103c47335f0cc777f1132b8d522f
SHA163afa171c64f86d99db81723e1335e960e85fa43
SHA25669815d4932ddde240ce6b1353305d2fab58ca402e9c478452c8e37ce8a7b2ac9
SHA512b1ac64c71c6338bf0ab33df938128822da680f20d0552edb2edb808f1c75bafb88467412fc8dc60ed8022a1f0c4f3fcbecb69a320ec871b3a766482f32d6eb05
-
Filesize
842B
MD56f4adf207ef402d9ef40c6aa52ffd245
SHA14b05b495619c643f02e278dede8f5b1392555a57
SHA256d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47