e0f2cc4926ee75d815692de2a970e01b9ccf351987c495a591202cf90a73008f

Analysis

max time kernel
135s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
Size

404KB
MD5

db158a450dfce4205588e0b1a68597f2
SHA1

fd08f935988e6f1c4e72fe4c47d3012a374bc2b0
SHA256

e0f2cc4926ee75d815692de2a970e01b9ccf351987c495a591202cf90a73008f
SHA512

588721c0adefd2917231a9fee9bb223c74b2b9eb3c4c083a38b0795ae37c73c592ba151d222bfcae77ccc0bbf992ae6141b286985ef4b5487fc49b0a5a1a4c6b
SSDEEP

3072:v+0++re1DsRxW1YUf3f3vV5Km/EkHY2MgBlh0epD5a6Ym+0++re1DsRxC1YUf3ft:m+yOvWj3H/EAYfgBlD5mZ+yOvCj3

Score

8^/10

defense_evasion discovery evasion persistence trojan

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 1 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	LSASS.EXE

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	LSASS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	LSASS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe	LSASS.EXE

Executes dropped EXE 64 IoCs

pid	Process
1300	SMSS.EXE
3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
4108	LSASS.EXE
3928	SMSS.EXE
5100	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe
4152	LSASS.EXE
1420	SMSS.EXE
3716	SMSS.EXE
404	SMSS.EXE
1296	SMSS.EXE
3052	SMSS.EXE
1004	SMSS.EXE
1392	SMSS.EXE
1672	SMSS.EXE
4072	SMSS.EXE
3404	SMSS.EXE
2152	SMSS.EXE
2412	SMSS.EXE
1480	SMSS.EXE
1216	SMSS.EXE
3112	SMSS.EXE
3772	SMSS.EXE
1520	SMSS.EXE
1208	SMSS.EXE
1992	SMSS.EXE
756	SMSS.EXE
1580	SMSS.EXE
3636	SMSS.EXE
4388	SMSS.EXE
3124	SMSS.EXE
1948	SMSS.EXE
1996	SMSS.EXE
2288	SMSS.EXE
4356	SMSS.EXE
4864	SMSS.EXE
2740	SMSS.EXE
4240	SMSS.EXE
980	SMSS.EXE
2684	SMSS.EXE
456	SMSS.EXE
1624	SMSS.EXE
2640	SMSS.EXE
1084	SMSS.EXE
3212	SMSS.EXE
4464	SMSS.EXE
4308	SMSS.EXE
1016	SMSS.EXE
924	SMSS.EXE
1200	SMSS.EXE
224	SMSS.EXE
2008	SMSS.EXE
4044	SMSS.EXE
2032	SMSS.EXE
1588	SMSS.EXE
3340	SMSS.EXE
4812	SMSS.EXE
1548	SMSS.EXE
1184	SMSS.EXE
1384	SMSS.EXE
1944	SMSS.EXE
2592	SMSS.EXE
3572	SMSS.EXE
4404	SMSS.EXE
212	SMSS.EXE

Loads dropped DLL 1 IoCs

pid	Process
3892	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	LSASS.EXE

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LSASS.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LSASS.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	LSASS.EXE
File opened (read-only)	\??\E:	LSASS.EXE

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	LSASS.EXE

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	LSASS.EXE
File created	C:\AUTORUN.INF	LSASS.EXE
File opened for modification	D:\AUTORUN.INF	LSASS.EXE
File opened for modification	\??\E:\AUTORUN.INF	LSASS.EXE

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\com\SMSS.EXE	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\com\netcfg.000	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\com\LSASS.EXE	LSASS.EXE
File created	C:\Windows\SysWOW64\com\SMSS.EXE	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\com\LSASS.EXE	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
File opened for modification	C:\Windows\SysWOW64\com\SMSS.EXE	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\com\bak	LSASS.EXE
File created	C:\Windows\SysWOW64\com\SMSS.EXE	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\com\SMSS.EXE	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\com\SMSS.EXE	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
File opened for modification	C:\Windows\SysWOW64\com\netcfg.dll	LSASS.EXE
File created	C:\Windows\SysWOW64\com\netcfg.000	LSASS.EXE
File created	C:\Windows\SysWOW64\com\netcfg.dll	LSASS.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2520	ping.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2520	ping.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3656	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
3656	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
3656	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
3656	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
4108	LSASS.EXE
4108	LSASS.EXE
4108	LSASS.EXE
4108	LSASS.EXE
4152	LSASS.EXE
4152	LSASS.EXE
4152	LSASS.EXE
4152	LSASS.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 4600	3656	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	87
PID 3656 wrote to memory of 4600	3656	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	87
PID 3656 wrote to memory of 4600	3656	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	87
PID 3656 wrote to memory of 1300	3656	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	90
PID 3656 wrote to memory of 1300	3656	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	90
PID 3656 wrote to memory of 1300	3656	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	90
PID 3656 wrote to memory of 3128	3656	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	91
PID 3656 wrote to memory of 3128	3656	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	91
PID 3656 wrote to memory of 3128	3656	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	91
PID 3128 wrote to memory of 2888	3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	92
PID 3128 wrote to memory of 2888	3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	92
PID 3128 wrote to memory of 2888	3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	92
PID 3128 wrote to memory of 964	3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	93
PID 3128 wrote to memory of 964	3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	93
PID 3128 wrote to memory of 964	3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	93
PID 3128 wrote to memory of 4108	3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	96
PID 3128 wrote to memory of 4108	3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	96
PID 3128 wrote to memory of 4108	3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	96
PID 3128 wrote to memory of 3928	3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	97
PID 3128 wrote to memory of 3928	3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	97
PID 3128 wrote to memory of 3928	3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	97
PID 3128 wrote to memory of 5100	3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	98
PID 3128 wrote to memory of 5100	3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	98
PID 3128 wrote to memory of 5100	3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	98
PID 3128 wrote to memory of 4152	3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	99
PID 3128 wrote to memory of 4152	3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	99
PID 3128 wrote to memory of 4152	3128	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	99
PID 4108 wrote to memory of 1448	4108	LSASS.EXE	100
PID 4108 wrote to memory of 1448	4108	LSASS.EXE	100
PID 4108 wrote to memory of 1448	4108	LSASS.EXE	100
PID 4108 wrote to memory of 3596	4108	LSASS.EXE	101
PID 4108 wrote to memory of 3596	4108	LSASS.EXE	101
PID 4108 wrote to memory of 3596	4108	LSASS.EXE	101
PID 4152 wrote to memory of 4948	4152	LSASS.EXE	102
PID 4152 wrote to memory of 4948	4152	LSASS.EXE	102
PID 4152 wrote to memory of 4948	4152	LSASS.EXE	102
PID 4152 wrote to memory of 4920	4152	LSASS.EXE	104
PID 4152 wrote to memory of 4920	4152	LSASS.EXE	104
PID 4152 wrote to memory of 4920	4152	LSASS.EXE	104
PID 4108 wrote to memory of 1420	4108	LSASS.EXE	109
PID 4108 wrote to memory of 1420	4108	LSASS.EXE	109
PID 4108 wrote to memory of 1420	4108	LSASS.EXE	109
PID 4108 wrote to memory of 3716	4108	LSASS.EXE	110
PID 4108 wrote to memory of 3716	4108	LSASS.EXE	110
PID 4108 wrote to memory of 3716	4108	LSASS.EXE	110
PID 4108 wrote to memory of 404	4108	LSASS.EXE	111
PID 4108 wrote to memory of 404	4108	LSASS.EXE	111
PID 4108 wrote to memory of 404	4108	LSASS.EXE	111
PID 4108 wrote to memory of 1296	4108	LSASS.EXE	112
PID 4108 wrote to memory of 1296	4108	LSASS.EXE	112
PID 4108 wrote to memory of 1296	4108	LSASS.EXE	112
PID 4108 wrote to memory of 2244	4108	LSASS.EXE	113
PID 4108 wrote to memory of 2244	4108	LSASS.EXE	113
PID 4108 wrote to memory of 2244	4108	LSASS.EXE	113
PID 4108 wrote to memory of 3892	4108	LSASS.EXE	115
PID 4108 wrote to memory of 3892	4108	LSASS.EXE	115
PID 4108 wrote to memory of 3892	4108	LSASS.EXE	115
PID 4108 wrote to memory of 3052	4108	LSASS.EXE	116
PID 4108 wrote to memory of 3052	4108	LSASS.EXE	116
PID 4108 wrote to memory of 3052	4108	LSASS.EXE	116
PID 4108 wrote to memory of 1004	4108	LSASS.EXE	117
PID 4108 wrote to memory of 1004	4108	LSASS.EXE	117
PID 4108 wrote to memory of 1004	4108	LSASS.EXE	117
PID 4108 wrote to memory of 1392	4108	LSASS.EXE	118

C:\Users\Admin\AppData\Local\Temp\db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4600
- C:\Windows\SysWOW64\com\SMSS.EXE
  c:\users\admin\appdata\local\temp\db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe|c:\users\admin\appdata\local\temp\db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
  2⤵
  - Executes dropped EXE
  PID:1300
- \??\c:\users\admin\appdata\local\temp\db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
  "c:\users\admin\appdata\local\temp\db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q "C:\Windows\system32\com\SMSS.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:964
- - C:\Windows\SysWOW64\com\LSASS.EXE
    "C:\Windows\system32\com\LSASS.EXE"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Indicator Removal: Clear Persistence
    - Drops autorun.inf file
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1448
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\com\SMSS.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3596
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1420
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Windows\system32\com\LSASS.EXE|C:\pagefile.pif
      4⤵
      Executes dropped EXE
      PID:3716
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Windows\system32\com\LSASS.EXE|D:\pagefile.pif
      4⤵
      Executes dropped EXE
      PID:404
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Windows\system32\com\LSASS.EXE|E:\pagefile.pif
      4⤵
      Executes dropped EXE
      PID:1296
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2244
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3892
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:3052
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1004
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1392
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1672
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:4072
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:3404
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:2152
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:2412
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1480
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1216
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:3112
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:3772
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1520
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1208
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1992
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:756
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1580
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:3636
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:4388
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:3124
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1948
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1996
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:2288
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:4356
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:4864
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:2740
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:4240
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:980
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:2684
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:456
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1624
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:2640
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1084
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:3212
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:4464
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:4308
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1016
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:924
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1200
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:224
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:2008
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:4044
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:2032
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1588
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:3340
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:4812
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1548
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1184
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1384
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1944
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:2592
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:3572
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:4404
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:212
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4476
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4948
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4872
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4008
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:1908
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4564
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:932
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4828
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4376
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:2360
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:3652
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:3732
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4144
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4028
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:1348
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4484
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:1688
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4908
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4900
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4920
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4456
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:3692
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:5080
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:3964
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:876
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:2812
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4396
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4544
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4624
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4808
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:3424
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4592
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:2948
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:1564
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:3456
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:3776
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:828
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:3660
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4708
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:448
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:3584
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:388
  - - C:\Windows\SysWOW64\ping.exe
      ping.exe -f -n 1 www.baidu.com
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2520
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:864
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:2096
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:3108
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:4760
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:3840
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      PID:3488
- - C:\Windows\SysWOW64\com\SMSS.EXE
    c:\users\admin\appdata\local\temp\db158a450dfce4205588e0b1a68597f2_jaffacakes118.~|c:\users\admin\appdata\local\temp\db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe
    3⤵
    - Executes dropped EXE
    PID:3928
- - \??\c:\users\admin\appdata\local\temp\db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5100
- - C:\Windows\SysWOW64\com\LSASS.EXE
    ^c:\users\admin\appdata\local\temp\db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4152
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4948
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\com\SMSS.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log

Filesize
404KB

MD5
db158a450dfce4205588e0b1a68597f2

SHA1
fd08f935988e6f1c4e72fe4c47d3012a374bc2b0

SHA256
e0f2cc4926ee75d815692de2a970e01b9ccf351987c495a591202cf90a73008f

SHA512
588721c0adefd2917231a9fee9bb223c74b2b9eb3c4c083a38b0795ae37c73c592ba151d222bfcae77ccc0bbf992ae6141b286985ef4b5487fc49b0a5a1a4c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db158a450dfce4205588e0b1a68597f2_jaffacakes118.~

Filesize
204KB

MD5
458342ff2c067e5577b2b784496afd38

SHA1
d21e857cfe4adbef40fc058bd76d35440d838f1e

SHA256
8639263b52980ed9b897b0369e4510316f283169b62679f30e400165996b36f2

SHA512
0c3a3661b94e0d13698532f687b2d53da7242222aee57ff5ea718ab8395fa6a1926c4b711bbe2c64e64e00f1a6344855ee5adb090b235dc81516e29e5c7ba14c

Download Submit
C:\Windows\SysWOW64\Com\LSASS.EXE

Filesize
100KB

MD5
94639ff083efb161b3d4d4e6c6247182

SHA1
7e8b0b5bea4a21b393ee2f22eeb4f30c27629e50

SHA256
560b4ceffe62928300d76e23b0c7d7b5952a121a08ce4b205a01b2302d92c739

SHA512
4c115071c501ec4b929ea3fce2599ed16574bb98be8c4dc9d4d56ad7ce7edf56dcee0a7d54290d048db1c145882ea7105a3b1647778f29ef0d7dd340f56d73a1

Download Submit
C:\Windows\SysWOW64\Com\SMSS.EXE

Filesize
9KB

MD5
06881bb6758cd51060aee95b16a68407

SHA1
4c8afb0aeb356970379f1f6f68a7aeaae12c1116

SHA256
825ae572cb46ba13bde721cd9db0477df302abb93e988e79095bbc212a6c4e95

SHA512
e0257afaae0a0c209a0ae2266bac51c43182b856aa103d1604fcd2a75c25a91c9383e4d78c4bd22eee7cb60a99aea07c86aa0316fd4862f51e1bed61ec61384f

Download Submit
C:\Windows\SysWOW64\Com\netcfg.000

Filesize
44KB

MD5
fc978b1e5e7bbcc4c823a638f7b659af

SHA1
64ea345e8c6d4366ba22ca7e06f1d29dec9affd5

SHA256
91e61328a1d2353ad402d8375157f219cc72b147f9c85eacdf189cfdeadacca0

SHA512
ca7165e7705411e788be99402d4ff5f936330b6c3bc8b56fe5f0eae8713681ca7468f150ddcd7db31f0d4c61ec0244a2229c729085d55b62185a79c276dab587

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads