Analysis
-
max time kernel
148s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2024 12:23
Static task
static1
Behavioral task
behavioral1
Sample
e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
-
Size
76KB
-
MD5
e02ce999fdf66035d7cdbdc19585eff0
-
SHA1
886ba82210574979bbd070a3b5279589b9fd8772
-
SHA256
8d6524aff6a6eba7663282eff6e7aa6313e041b49033852faecb71492ff04cc6
-
SHA512
8084dcde12c3b150dae09abc4a30ced5212e0cc647a7d7276463253dce88555ee11171ee2bf6e73558447f52758c15d487fd47749741c4912238747ff7bd0ed1
-
SSDEEP
1536:PaRW+D2q3FQf2kvdMiCei1JRN3AfsB73lL0841nn0c+po6BZXKuaiM:PSW+6f2kvjCeiLR1AEB73lL08S0faMk3
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\COM Service = "C:\\Windows\\msagent\\msvhny.com" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\COM Service = "C:\\Windows\\msagent\\msvhny.com" svchost.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42CE4021-DE03-E3CC-EA32-40BB12E6015D} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42CE4021-DE03-E3CC-EA32-40BB12E6015D}\StubPath = "C:\\Windows\\system32\\mscabo.com" svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2280 svchost.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exesvchost.exedescription ioc process File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\I: svchost.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Remote Services: SMB/Windows Admin Shares 1 TTPs 2 IoCs
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
Processes:
svchost.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes svchost.exe -
Drops file in System32 directory 13 IoCs
Processes:
svchost.exesvchost.exesvchost.exee02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe File opened for modification C:\Windows\SysWOW64\mslg.blf svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\SysWOW64\mscabo.com e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe File created C:\Windows\SysWOW64\mscabo.com e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe File created C:\Windows\SysWOW64\mslg.blf svchost.exe File opened for modification C:\Windows\SysWOW64\mscabo.com svchost.exe File opened for modification C:\Windows\system32\wbem\repository svchost.exe File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe -
Drops file in Windows directory 8 IoCs
Processes:
e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exesvchost.exedescription ioc process File created C:\Windows\msagent\msvhny.com e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe File opened for modification C:\Windows\svchost.exe svchost.exe File created C:\Windows\svchost.exe svchost.exe File opened for modification C:\Windows\msagent\msvhny.com svchost.exe File created C:\Windows\msagent\msvhny.com svchost.exe File opened for modification C:\Windows\svchost.exe e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe File created C:\Windows\svchost.exe e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe File opened for modification C:\Windows\msagent\msvhny.com e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exesvchost.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Modifies data under HKEY_USERS 48 IoCs
Processes:
svchost.exesvchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exesvchost.exepid process 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe 2280 svchost.exe 2280 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 2280 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exesvchost.exesvchost.exesvchost.exedescription pid process Token: SeIncreaseQuotaPrivilege 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: SeSystemtimePrivilege 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: SeBackupPrivilege 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: SeRestorePrivilege 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: SeShutdownPrivilege 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: SeDebugPrivilege 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: SeUndockPrivilege 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: SeManageVolumePrivilege 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: 33 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: 34 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: 35 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: 36 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe Token: SeAuditPrivilege 4060 svchost.exe Token: SeAuditPrivilege 4060 svchost.exe Token: SeIncreaseQuotaPrivilege 2280 svchost.exe Token: SeSecurityPrivilege 2280 svchost.exe Token: SeTakeOwnershipPrivilege 2280 svchost.exe Token: SeLoadDriverPrivilege 2280 svchost.exe Token: SeSystemProfilePrivilege 2280 svchost.exe Token: SeSystemtimePrivilege 2280 svchost.exe Token: SeProfSingleProcessPrivilege 2280 svchost.exe Token: SeIncBasePriorityPrivilege 2280 svchost.exe Token: SeCreatePagefilePrivilege 2280 svchost.exe Token: SeBackupPrivilege 2280 svchost.exe Token: SeRestorePrivilege 2280 svchost.exe Token: SeShutdownPrivilege 2280 svchost.exe Token: SeDebugPrivilege 2280 svchost.exe Token: SeSystemEnvironmentPrivilege 2280 svchost.exe Token: SeRemoteShutdownPrivilege 2280 svchost.exe Token: SeUndockPrivilege 2280 svchost.exe Token: SeManageVolumePrivilege 2280 svchost.exe Token: 33 2280 svchost.exe Token: 34 2280 svchost.exe Token: 35 2280 svchost.exe Token: 36 2280 svchost.exe Token: 33 2280 svchost.exe Token: SeIncBasePriorityPrivilege 2280 svchost.exe Token: 33 2280 svchost.exe Token: SeIncBasePriorityPrivilege 2280 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4352 svchost.exe Token: SeIncreaseQuotaPrivilege 4352 svchost.exe Token: SeSecurityPrivilege 4352 svchost.exe Token: SeTakeOwnershipPrivilege 4352 svchost.exe Token: SeLoadDriverPrivilege 4352 svchost.exe Token: SeSystemtimePrivilege 4352 svchost.exe Token: SeBackupPrivilege 4352 svchost.exe Token: SeRestorePrivilege 4352 svchost.exe Token: SeShutdownPrivilege 4352 svchost.exe Token: SeSystemEnvironmentPrivilege 4352 svchost.exe Token: SeUndockPrivilege 4352 svchost.exe Token: SeManageVolumePrivilege 4352 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4352 svchost.exe Token: SeIncreaseQuotaPrivilege 4352 svchost.exe Token: SeSecurityPrivilege 4352 svchost.exe Token: SeTakeOwnershipPrivilege 4352 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exedescription pid process target process PID 3372 wrote to memory of 2280 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe svchost.exe PID 3372 wrote to memory of 2280 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe svchost.exe PID 3372 wrote to memory of 2280 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe svchost.exe PID 3372 wrote to memory of 4456 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe cmd.exe PID 3372 wrote to memory of 4456 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe cmd.exe PID 3372 wrote to memory of 4456 3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exeC:\Windows\svchost.exe2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
- Remote Services: SMB/Windows Admin Shares
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
- Remote Services: SMB/Windows Admin Shares
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Deployment.srdFilesize
3.0MB
MD5cbda55dcc4be08631604f07ea6ddda42
SHA136512056bbbd2530c14f5ee3b59d404548aa942a
SHA256ca4a8c7011fb0f91b7acf2b3362a960f75e5436dc55fe76a5d4c354be2dc21b2
SHA51222ed1726e2902f6d107b30167d410c7d36ee47a8474e2fd6f685c4f0c2c69d875ac897c0a67fbcaa5c173eb00d5c198c8e127b8d2b5ebbba2e0564ecb5954356
-
C:\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd-walMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_5E65FCDD03110BA05402E762877D780EFilesize
510B
MD5a47c0dec71cd1aa0b21f34428ae4b4e0
SHA1209327a7b558d79fb69014185c41ec62682e63a5
SHA256c8699ee007a2bd04aa678897c4310d5fa5278e10332cd266b41a414988868cd1
SHA512a77bdd57e40a22527e51095de2d702fe76eba2b550556b39746765df98ed21ce6e99acb2027c7e073491c8400df6e8584affbf1b5a88b875c213e7317a813824
-
C:\Windows\SysWOW64\mscabo.comFilesize
76KB
MD5e02ce999fdf66035d7cdbdc19585eff0
SHA1886ba82210574979bbd070a3b5279589b9fd8772
SHA2568d6524aff6a6eba7663282eff6e7aa6313e041b49033852faecb71492ff04cc6
SHA5128084dcde12c3b150dae09abc4a30ced5212e0cc647a7d7276463253dce88555ee11171ee2bf6e73558447f52758c15d487fd47749741c4912238747ff7bd0ed1
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
338B
MD5d7ef2fa7110279cf5e7fa0f07d48252c
SHA1d3291ed5d0ad5a19d98dd997ab6c39d79764b677
SHA25673c7ce8000d57bf3a28cfbd2202c5fdbe4cb52d14c51c582cb717e0c01eefe62
SHA5125a757303439ba6feb677689b7919a0e17dcdb482f48a1635f1d0f8d8fb1699e3246f8a5809716a6fa792519eb2b32878b769d7c40aaea582a83ab2e33860093d
-
memory/2280-55-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2280-52-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2280-60-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2280-62-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2280-68-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2280-69-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2280-72-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2280-73-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2280-75-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3372-30-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4312-2-0x0000016C74370000-0x0000016C74380000-memory.dmpFilesize
64KB
-
memory/4312-8-0x0000016C743D0000-0x0000016C743E0000-memory.dmpFilesize
64KB