pony | 1ef7b6e2bd6add68d2964debcf51b5219885b9dd02e3b1a6f404843807ee9355

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe
Size

640KB
MD5

da7c4eb4a81273ff2604d20f1f8cf53e
SHA1

4bcad6f4facd1c8f876abe05dfe6de811d1399d1
SHA256

1ef7b6e2bd6add68d2964debcf51b5219885b9dd02e3b1a6f404843807ee9355
SHA512

6ab5e976f206092bbe8a234ac8c11a3134635697e3946b87ea679e8e236716fe011a6e13a54e9f8159a6b61de7850be74077c4cdc90e103c2c9083d158ed9db2
SSDEEP

12288:mhNu/nYhj4bSV38kEe2THeCUk3dlHiXEOtTEEcCn4XBz6B4UYSi:mSO8bG3802aCZtlCUiEbHBXUYSi

Score

10^/10

pony credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	cghost.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Deletes itself 1 IoCs

pid	Process
2836	cmd.exe

Executes dropped EXE 10 IoCs

pid	Process
2664	aghost.exe
2656	aghost.exe
2588	bghost.exe
2884	cghost.exe
332	csrss.exe
2912	dghost.exe
1676	cghost.exe
2768	cghost.exe
2660	4885.tmp
868	eghost.exe

Loads dropped DLL 16 IoCs

pid	Process
1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe
1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe
1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe
1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe
1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe
1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe
1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe
1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe
940	Process not Found
2884	cghost.exe
1012	DllHost.exe
2884	cghost.exe
2884	cghost.exe
1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe
1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe
2660	4885.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2884-115-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1676-130-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DC8.exe = "C:\\Program Files (x86)\\LP\\D3AC\\DC8.exe"	cghost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
2592	tasklist.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 468 set thread context of 1744	468	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	30
PID 2664 set thread context of 2656	2664	aghost.exe	32

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\D3AC\DC8.exe	cghost.exe
File opened for modification	C:\Program Files (x86)\LP\D3AC\4885.tmp	cghost.exe
File opened for modification	C:\Program Files (x86)\LP\D3AC\DC8.exe	cghost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bghost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aghost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cghost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dghost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cghost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cghost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4885.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{6309c5e8-cf71-f152-4438-0838fc78b4dd}	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6309c5e8-cf71-f152-4438-0838fc78b4dd}\u = "860049491"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6309c5e8-cf71-f152-4438-0838fc78b4dd}\cid = "6525155775823598832"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2656	aghost.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
2656	aghost.exe
2884	cghost.exe
2884	cghost.exe
2884	cghost.exe
2884	cghost.exe
2884	cghost.exe
2884	cghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe
2656	aghost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2552	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	explorer.exe
Token: SeRestorePrivilege	2856	msiexec.exe
Token: SeTakeOwnershipPrivilege	2856	msiexec.exe
Token: SeSecurityPrivilege	2856	msiexec.exe
Token: SeShutdownPrivilege	2552	explorer.exe
Token: SeShutdownPrivilege	2552	explorer.exe
Token: SeShutdownPrivilege	2552	explorer.exe
Token: SeShutdownPrivilege	2552	explorer.exe
Token: SeShutdownPrivilege	2552	explorer.exe
Token: SeShutdownPrivilege	2552	explorer.exe
Token: SeShutdownPrivilege	2552	explorer.exe
Token: SeShutdownPrivilege	2552	explorer.exe
Token: SeShutdownPrivilege	2552	explorer.exe
Token: SeShutdownPrivilege	2552	explorer.exe
Token: 33	540	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	540	AUDIODG.EXE
Token: 33	540	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	540	AUDIODG.EXE
Token: SeShutdownPrivilege	2552	explorer.exe
Token: SeShutdownPrivilege	2552	explorer.exe
Token: SeDebugPrivilege	2592	tasklist.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeSystemtimePrivilege	844	svchost.exe
Token: SeBackupPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeShutdownPrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeUndockPrivilege	844	svchost.exe
Token: SeManageVolumePrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeSystemtimePrivilege	844	svchost.exe
Token: SeBackupPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeShutdownPrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeUndockPrivilege	844	svchost.exe
Token: SeManageVolumePrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeSystemtimePrivilege	844	svchost.exe
Token: SeBackupPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeShutdownPrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeUndockPrivilege	844	svchost.exe
Token: SeManageVolumePrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeSystemtimePrivilege	844	svchost.exe
Token: SeBackupPrivilege	844	svchost.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe
2912	dghost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 1744	468	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	30
PID 468 wrote to memory of 1744	468	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	30
PID 468 wrote to memory of 1744	468	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	30
PID 468 wrote to memory of 1744	468	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	30
PID 468 wrote to memory of 1744	468	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	30
PID 468 wrote to memory of 1744	468	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	30
PID 468 wrote to memory of 1744	468	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	30
PID 468 wrote to memory of 1744	468	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	30
PID 468 wrote to memory of 1744	468	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	30
PID 1744 wrote to memory of 2664	1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	31
PID 1744 wrote to memory of 2664	1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	31
PID 1744 wrote to memory of 2664	1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	31
PID 1744 wrote to memory of 2664	1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2656	2664	aghost.exe	32
PID 2664 wrote to memory of 2656	2664	aghost.exe	32
PID 2664 wrote to memory of 2656	2664	aghost.exe	32
PID 2664 wrote to memory of 2656	2664	aghost.exe	32
PID 2664 wrote to memory of 2656	2664	aghost.exe	32
PID 2664 wrote to memory of 2656	2664	aghost.exe	32
PID 2664 wrote to memory of 2656	2664	aghost.exe	32
PID 2664 wrote to memory of 2656	2664	aghost.exe	32
PID 2664 wrote to memory of 2656	2664	aghost.exe	32
PID 2664 wrote to memory of 2656	2664	aghost.exe	32
PID 2664 wrote to memory of 2656	2664	aghost.exe	32
PID 1744 wrote to memory of 2588	1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	33
PID 1744 wrote to memory of 2588	1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	33
PID 1744 wrote to memory of 2588	1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	33
PID 1744 wrote to memory of 2588	1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	33
PID 2588 wrote to memory of 3032	2588	bghost.exe	34
PID 2588 wrote to memory of 3032	2588	bghost.exe	34
PID 2588 wrote to memory of 3032	2588	bghost.exe	34
PID 2588 wrote to memory of 3032	2588	bghost.exe	34
PID 2588 wrote to memory of 3032	2588	bghost.exe	34
PID 2588 wrote to memory of 3032	2588	bghost.exe	34
PID 1744 wrote to memory of 2884	1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	35
PID 1744 wrote to memory of 2884	1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	35
PID 1744 wrote to memory of 2884	1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	35
PID 1744 wrote to memory of 2884	1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	35
PID 3032 wrote to memory of 332	3032	explorer.exe	2
PID 332 wrote to memory of 2856	332	csrss.exe	36
PID 332 wrote to memory of 2856	332	csrss.exe	36
PID 1744 wrote to memory of 2912	1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	37
PID 1744 wrote to memory of 2912	1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	37
PID 1744 wrote to memory of 2912	1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	37
PID 1744 wrote to memory of 2912	1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	37
PID 332 wrote to memory of 2856	332	csrss.exe	36
PID 332 wrote to memory of 2856	332	csrss.exe	36
PID 2884 wrote to memory of 1676	2884	cghost.exe	38
PID 2884 wrote to memory of 1676	2884	cghost.exe	38
PID 2884 wrote to memory of 1676	2884	cghost.exe	38
PID 2884 wrote to memory of 1676	2884	cghost.exe	38
PID 332 wrote to memory of 1012	332	csrss.exe	39
PID 2884 wrote to memory of 2768	2884	cghost.exe	40
PID 2884 wrote to memory of 2768	2884	cghost.exe	40
PID 2884 wrote to memory of 2768	2884	cghost.exe	40
PID 2884 wrote to memory of 2768	2884	cghost.exe	40
PID 2884 wrote to memory of 2660	2884	cghost.exe	42
PID 2884 wrote to memory of 2660	2884	cghost.exe	42
PID 2884 wrote to memory of 2660	2884	cghost.exe	42
PID 2884 wrote to memory of 2660	2884	cghost.exe	42
PID 332 wrote to memory of 2264	332	csrss.exe	43
PID 1744 wrote to memory of 868	1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	45
PID 1744 wrote to memory of 868	1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	45
PID 1744 wrote to memory of 868	1744	da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe	45

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cghost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	cghost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Users\Admin\AppData\Local\Temp\da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:468
- C:\Users\Admin\AppData\Local\Temp\da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe
  da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\aghost.exe
    C:\Users\Admin\aghost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\aghost.exe
      aghost.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2656
- - C:\Users\Admin\bghost.exe
    C:\Users\Admin\bghost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\explorer.exe
      0000007C*
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3032
- - C:\Users\Admin\cghost.exe
    C:\Users\Admin\cghost.exe
    3⤵
    - Modifies security service
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2884
  - - C:\Users\Admin\cghost.exe
      C:\Users\Admin\cghost.exe startC:\Users\Admin\AppData\Roaming\C2A40\87ED3.exe%C:\Users\Admin\AppData\Roaming\C2A40
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1676
  - - C:\Users\Admin\cghost.exe
      C:\Users\Admin\cghost.exe startC:\Program Files (x86)\4017E\lvvm.exe%C:\Program Files (x86)\4017E
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2768
  - - C:\Program Files (x86)\LP\D3AC\4885.tmp
      "C:\Program Files (x86)\LP\D3AC\4885.tmp"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2660
- - C:\Users\Admin\dghost.exe
    C:\Users\Admin\dghost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2912
- - C:\Users\Admin\eghost.exe
    C:\Users\Admin\eghost.exe
    3⤵
    - Executes dropped EXE
    PID:868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del da7c4eb4a81273ff2604d20f1f8cf53e_JaffaCakes118.exe
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2836
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2592

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Loads dropped DLL
PID:1012

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2264

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x590
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C2A40\017E.2A4

Filesize
600B

MD5
792feb650bfd2be733603e26ad940db1

SHA1
156f38971ff829f4e8b94db424efca0a170b8e62

SHA256
7216b541073d1aa9651d69783d0f80379032e8aaec8000686096eb21bd0768c1

SHA512
03d9c4927146c9c7aefe3db0167fa4b534fdac50664da09cfcac55578c857025828e9cb93dec53cbffb12118ae4cca08aa8e456e6e2120baaa4b820a3f8b53ed

Download Submit
C:\Users\Admin\AppData\Roaming\C2A40\017E.2A4

Filesize
996B

MD5
b09d49d16ddb74afd836a200ab9d0264

SHA1
8463f5e3b1f1316e7316dce449f4906128d98160

SHA256
9e4946ee65b727d5c764501dd25d7ce75cb09ca32f16bbd2f104274dec9c0bd6

SHA512
5191c81351b11fe8fb5b14adf925f73ee72c4feba2f8ae67b80e4d45b308f031b691ee82392ccb717cd8b0319c5c35ff397ae27574ebed775ce3a8cff77adc0d

Download Submit
C:\Users\Admin\AppData\Roaming\C2A40\017E.2A4

Filesize
1KB

MD5
3b3532ea3a704161c2e764a7543fb4e9

SHA1
ea8f7e4b0673c66756049e303bce0f3e8631502e

SHA256
dc46878dea6c73bd5e110937abf95d5e87052138b2051230688377fc13a2206f

SHA512
740c7bb1fe42499599be106553c92738edcb14a699d244fffb61a76141bd99a77b9652e91a8de6bdf4f69ddc96ce596cc5e8d4d65b18e2816ddd891ab8d47a6c

Download Submit
C:\Users\Admin\AppData\Roaming\C2A40\017E.2A4

Filesize
1KB

MD5
44e3c8a73ec1b9b788d5d20d454899fd

SHA1
aec5337eba1f4cc511c92f25752a6ad8979789b9

SHA256
30f582df8f28a04799d8e5d1bc6a52903bf911be4a87bba59705f091c1872c5d

SHA512
adade37193b358e59d23dd9cf4e4a3ac878357d955ef3afe1806a833dad5f2f51f15ef85d705f8995c8ce082887fe7a6f7a2b6c23ddaa03dcab0f0ac73e84cdb

Download Submit
C:\Windows\system32\consrv.DLL

Filesize
52KB

MD5
c7570a7e24b29ee04a48c2c99da2587b

SHA1
b6e3635a8de44b1635e8d362ac131e14281feb24

SHA256
717cd7661c09701ee39c505d8b604ea3dd6c1151ef18e7ed1cab3832552ac34b

SHA512
57479d2f5386ace8cc5e5ed543e6ad2c2b7b58accc849807d804a8cf0d03080f328f7b42442422fa1483a01ad473ca302f9eca97b9eb24e699e22db56641c572

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
3273f0bb824743f310d4ac5c5969a36e

SHA1
17fb6fb21f3fc8bb4cb532d389f85dd51b5d49d1

SHA256
80122756780fd8487627c96d571b4171dbd4e57cbeb555fd6d8adf0ebc20f18b

SHA512
3cdbd226498a79e0b561fd212b3ba5c45340707251b3f4c036aa66dae8a41c8a54ccbc72592edcd4aedf07253f0511d585b1ba1d76ec9afe4c0428708db76889

Download Submit
\Program Files (x86)\LP\D3AC\4885.tmp

Filesize
98KB

MD5
a947ad1236b35422485681abe768ff48

SHA1
454b8c85500ca1d2496c875fa4e32311aaf6dc02

SHA256
10ca53e5ca35f67264d4892eed888984ff03c172292d1082714187e03ef7974d

SHA512
fb71b6369bef57f1f4e6b39fe9745620d1acd3c216343dd68affd70b2057f893d3966b76afb2ac4f6fed5941dcee60a2c8322b423f9e7789f3ccb7a64a6cdf8c

Download Submit
\Users\Admin\aghost.exe

Filesize
132KB

MD5
16f28c738307d429f638ddb9b5162844

SHA1
d0244b1a729c63023109d396b9c66b194edfc458

SHA256
aa651b1027ba2c4f671064685c92ec337bf34504b2e11a0317abdfc7a6ac5524

SHA512
ef35963861e035acc313f5dd43be5504c6213513773605c782e26170629442280f76f73c1e7efcb26eaf75d26ce806d7dd205dc453630ff7aa649581f8c03447

Download Submit
\Users\Admin\bghost.exe

Filesize
148KB

MD5
eb27f18af785714a726c64f02b87f4ca

SHA1
6e395b92079e0c264b8f44363fa072eaec7380d3

SHA256
45605d8e4eb7c9483a296c2a0cede229301d4e6ac2b005476017f3b5fdbef739

SHA512
c71e27aa1d60b7897de450ee660ee2b524b86b4d7c55d3227f28f248303ad5ed5f115bd0cb53c0e999bd7307b7464f8a936f4329aa2103cfbb97d32e50e5c338

Download Submit
\Users\Admin\cghost.exe

Filesize
279KB

MD5
2710039ff3f49679bb9e287fefcc915b

SHA1
d25ac6bfc2eade7723afe3890238f444556f865d

SHA256
260115d29aceff379349beb3e8417b27daa54b518186a345453bc7951e4b0d84

SHA512
c0114b7faea1f7368f396669873b79b31a5a2eee250fcc4a32a4ec1c90edbb4cceebe6a7aa86182d2065687b650cee611b2aa7723fdfeee8aef269c33fdbab04

Download Submit
\Users\Admin\dghost.exe

Filesize
24KB

MD5
ee0f9c53597dd6d804a368e193dabcb4

SHA1
9d6206ae8ef89f3ba94c5fde85169ac951545c05

SHA256
a7d94328bc0f7ecb91d1c513d1e3d5b1563737b162a175fd97b2e0e5e5a2cc97

SHA512
a7f2a1d84f48ea2b24663a1fbb1b05638ec3ce9cfab0627e7bd98a1fe9a35e927831d0c9aafff696c351379f812e511539d8ec821d23401bd87e1d213d6955c5

Download Submit
\Users\Admin\eghost.exe

Filesize
125KB

MD5
b54d9d8ea4223dfd5db626aab66cec99

SHA1
d0654e390737989e4be469a6e6cd8e392e27290c

SHA256
9c6dc182bb9d7946381c92edd0d8a650002367eefe93c528042b74baad6550be

SHA512
1cf0e27a30ab7978b86bd5f9ed093286150d3e329e8000c2a767391709905a2728004c0acc8533e8145cdb86b007c056cf5c4902f7108e49646a65eb5883b9d6

Download Submit
\Windows\assembly\GAC_32\Desktop.ini

Filesize
4KB

MD5
80dbc7d15fdf94f16bb4a739cd9c3f98

SHA1
c0f3f20b360ce78cc153fa514e5f62c06f68feb7

SHA256
20b2d1e1b5348ed92f7e2eaedba4348e446970c13c6226f34a816503aa956c91

SHA512
cf8d820104ee3db4a103fb19d38267fe2f5095a29777bf3bcde95d4299360681cedd421251af92038da3f8709e68f101f7326ad9abdd087a59ca83adec87bc48

Download Submit
\Windows\assembly\GAC_64\Desktop.ini

Filesize
5KB

MD5
78ab98fd9228277f2638fd93cd703016

SHA1
1640ee7f500074c155a5af431e9d125a4ec2cea5

SHA256
e0517a9584af6cfd4f1e6d280e086b20fd576b90b32f9ddac916de03a53b766c

SHA512
d98ed49a83d5b50737a674e4421cea4cbe353f80234d2d5a8df82995a0d81e9524f23919ca600afb98bc676a8f93e7c0df73c22cae9b3fc624027800ba9dcc76

Download Submit
memory/332-94-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/468-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1676-130-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1744-10-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1744-58-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/1744-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1744-59-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/1744-4-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1744-1-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1744-2-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1744-64-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2588-62-0x0000000000407000-0x0000000000408000-memory.dmp

Filesize
4KB

Download
memory/2588-67-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2588-61-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2588-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2588-65-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2656-31-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2656-43-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2656-27-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2656-34-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2656-51-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2656-40-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2656-29-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2656-49-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2656-37-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2664-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2884-115-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3032-81-0x0000000000300000-0x0000000000319000-memory.dmp

Filesize
100KB

Download
memory/3032-73-0x00000000000E0000-0x00000000000F5000-memory.dmp

Filesize
84KB

Download
memory/3032-76-0x0000000000300000-0x0000000000319000-memory.dmp

Filesize
100KB

Download
memory/3032-70-0x0000000000300000-0x0000000000319000-memory.dmp

Filesize
100KB

Download