Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
15/09/2024, 04:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe
Resource
win10v2004-20240910-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe
-
Size
524KB
-
MD5
e1ac6db7c31fd23ef5b4d029a826ea97
-
SHA1
2d27eeba650066f80ab7af44053a23d057f00fd0
-
SHA256
4d631eb57dc2affec9c50e59e2d984735ef05d67914106d2db716d7ca055fe58
-
SHA512
9741e29e60b6a3ae512a48d11539195888aa49e91976292b257cf07b5caef776fb4bb0bdcd07c99c42798c5ec46b44e2bcd5b3923f7de99489fb6552a36ca8c2
-
SSDEEP
12288:SSFMFpuhRp8tmnkX4C4IosE/rSkU19Zt/kMM22:lF+u+gkX3o1jSkErM2
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" biuraiq.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" JB3O2vP3.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation JB3O2vP3.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe -
Executes dropped EXE 10 IoCs
pid Process 4192 JB3O2vP3.exe 5008 biuraiq.exe 3240 2sun.exe 1168 2sun.exe 2076 2sun.exe 2360 2sun.exe 4188 2sun.exe 2096 2sun.exe 2592 3sun.exe 224 X -
resource yara_rule behavioral2/memory/4188-65-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/2360-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2360-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4188-63-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/4188-59-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/2076-57-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/2076-56-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/2360-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2076-54-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/1168-52-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/1168-51-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/2076-49-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/1168-47-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/1168-76-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/2360-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4188-90-0x0000000000400000-0x0000000000407000-memory.dmp upx -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 31.193.3.240 Destination IP 31.193.3.240 -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /o" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /I" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /p" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /r" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /a" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /S" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /h" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /Q" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /G" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /W" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /d" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /Z" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /y" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /w" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /E" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /P" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /l" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /T" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /L" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /U" JB3O2vP3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /k" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /M" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /C" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /v" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /b" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /R" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /g" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /q" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /m" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /H" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /f" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /J" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /t" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /n" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /e" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /x" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /z" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /c" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /X" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /u" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /N" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /B" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /V" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /O" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /s" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /j" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /i" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /K" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /F" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /D" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /A" biuraiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biuraiq = "C:\\Users\\Admin\\biuraiq.exe /U" biuraiq.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2sun.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 2sun.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 3132 tasklist.exe 1628 tasklist.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 3240 set thread context of 1168 3240 2sun.exe 93 PID 3240 set thread context of 2076 3240 2sun.exe 94 PID 3240 set thread context of 2360 3240 2sun.exe 95 PID 3240 set thread context of 4188 3240 2sun.exe 96 PID 3240 set thread context of 2096 3240 2sun.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3172 2096 WerFault.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language biuraiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2sun.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2sun.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JB3O2vP3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2sun.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3sun.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4192 JB3O2vP3.exe 4192 JB3O2vP3.exe 4192 JB3O2vP3.exe 4192 JB3O2vP3.exe 2076 2sun.exe 2076 2sun.exe 2360 2sun.exe 2360 2sun.exe 2592 3sun.exe 2592 3sun.exe 224 X 224 X 5008 biuraiq.exe 5008 biuraiq.exe 5008 biuraiq.exe 5008 biuraiq.exe 5008 biuraiq.exe 5008 biuraiq.exe 2360 2sun.exe 2360 2sun.exe 2076 2sun.exe 2076 2sun.exe 5008 biuraiq.exe 5008 biuraiq.exe 5008 biuraiq.exe 5008 biuraiq.exe 5008 biuraiq.exe 5008 biuraiq.exe 5008 biuraiq.exe 5008 biuraiq.exe 2076 2sun.exe 2076 2sun.exe 5008 biuraiq.exe 5008 biuraiq.exe 2076 2sun.exe 2076 2sun.exe 2076 2sun.exe 2076 2sun.exe 5008 biuraiq.exe 5008 biuraiq.exe 5008 biuraiq.exe 5008 biuraiq.exe 5008 biuraiq.exe 5008 biuraiq.exe 2076 2sun.exe 2076 2sun.exe 2076 2sun.exe 2076 2sun.exe 5008 biuraiq.exe 5008 biuraiq.exe 2076 2sun.exe 2076 2sun.exe 5008 biuraiq.exe 5008 biuraiq.exe 5008 biuraiq.exe 5008 biuraiq.exe 2076 2sun.exe 2076 2sun.exe 5008 biuraiq.exe 5008 biuraiq.exe 2076 2sun.exe 2076 2sun.exe 5008 biuraiq.exe 5008 biuraiq.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3132 tasklist.exe Token: SeDebugPrivilege 2592 3sun.exe Token: SeDebugPrivilege 2592 3sun.exe Token: SeDebugPrivilege 1628 tasklist.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3936 e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe 4192 JB3O2vP3.exe 5008 biuraiq.exe 3240 2sun.exe 1168 2sun.exe 4188 2sun.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3936 wrote to memory of 4192 3936 e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe 86 PID 3936 wrote to memory of 4192 3936 e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe 86 PID 3936 wrote to memory of 4192 3936 e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe 86 PID 4192 wrote to memory of 5008 4192 JB3O2vP3.exe 87 PID 4192 wrote to memory of 5008 4192 JB3O2vP3.exe 87 PID 4192 wrote to memory of 5008 4192 JB3O2vP3.exe 87 PID 4192 wrote to memory of 4580 4192 JB3O2vP3.exe 88 PID 4192 wrote to memory of 4580 4192 JB3O2vP3.exe 88 PID 4192 wrote to memory of 4580 4192 JB3O2vP3.exe 88 PID 3936 wrote to memory of 3240 3936 e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe 90 PID 3936 wrote to memory of 3240 3936 e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe 90 PID 3936 wrote to memory of 3240 3936 e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe 90 PID 4580 wrote to memory of 3132 4580 cmd.exe 91 PID 4580 wrote to memory of 3132 4580 cmd.exe 91 PID 4580 wrote to memory of 3132 4580 cmd.exe 91 PID 3240 wrote to memory of 1168 3240 2sun.exe 93 PID 3240 wrote to memory of 1168 3240 2sun.exe 93 PID 3240 wrote to memory of 1168 3240 2sun.exe 93 PID 3240 wrote to memory of 1168 3240 2sun.exe 93 PID 3240 wrote to memory of 1168 3240 2sun.exe 93 PID 3240 wrote to memory of 1168 3240 2sun.exe 93 PID 3240 wrote to memory of 1168 3240 2sun.exe 93 PID 3240 wrote to memory of 1168 3240 2sun.exe 93 PID 3240 wrote to memory of 2076 3240 2sun.exe 94 PID 3240 wrote to memory of 2076 3240 2sun.exe 94 PID 3240 wrote to memory of 2076 3240 2sun.exe 94 PID 3240 wrote to memory of 2076 3240 2sun.exe 94 PID 3240 wrote to memory of 2076 3240 2sun.exe 94 PID 3240 wrote to memory of 2076 3240 2sun.exe 94 PID 3240 wrote to memory of 2076 3240 2sun.exe 94 PID 3240 wrote to memory of 2076 3240 2sun.exe 94 PID 3240 wrote to memory of 2360 3240 2sun.exe 95 PID 3240 wrote to memory of 2360 3240 2sun.exe 95 PID 3240 wrote to memory of 2360 3240 2sun.exe 95 PID 3240 wrote to memory of 2360 3240 2sun.exe 95 PID 3240 wrote to memory of 2360 3240 2sun.exe 95 PID 3240 wrote to memory of 2360 3240 2sun.exe 95 PID 3240 wrote to memory of 2360 3240 2sun.exe 95 PID 3240 wrote to memory of 2360 3240 2sun.exe 95 PID 3240 wrote to memory of 4188 3240 2sun.exe 96 PID 3240 wrote to memory of 4188 3240 2sun.exe 96 PID 3240 wrote to memory of 4188 3240 2sun.exe 96 PID 3240 wrote to memory of 4188 3240 2sun.exe 96 PID 3240 wrote to memory of 4188 3240 2sun.exe 96 PID 3240 wrote to memory of 4188 3240 2sun.exe 96 PID 3240 wrote to memory of 4188 3240 2sun.exe 96 PID 3240 wrote to memory of 4188 3240 2sun.exe 96 PID 3240 wrote to memory of 2096 3240 2sun.exe 97 PID 3240 wrote to memory of 2096 3240 2sun.exe 97 PID 3240 wrote to memory of 2096 3240 2sun.exe 97 PID 3240 wrote to memory of 2096 3240 2sun.exe 97 PID 3936 wrote to memory of 2592 3936 e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe 101 PID 3936 wrote to memory of 2592 3936 e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe 101 PID 3936 wrote to memory of 2592 3936 e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe 101 PID 2592 wrote to memory of 224 2592 3sun.exe 102 PID 2592 wrote to memory of 224 2592 3sun.exe 102 PID 224 wrote to memory of 1988 224 X 103 PID 224 wrote to memory of 1988 224 X 103 PID 224 wrote to memory of 1988 224 X 103 PID 3936 wrote to memory of 1804 3936 e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe 105 PID 3936 wrote to memory of 1804 3936 e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe 105 PID 3936 wrote to memory of 1804 3936 e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe 105 PID 1804 wrote to memory of 1628 1804 cmd.exe 107 PID 1804 wrote to memory of 1628 1804 cmd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\JB3O2vP3.exeC:\Users\Admin\JB3O2vP3.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\biuraiq.exe"C:\Users\Admin\biuraiq.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5008
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del JB3O2vP3.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
-
-
-
C:\Users\Admin\2sun.exeC:\Users\Admin\2sun.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Users\Admin\2sun.exe"C:\Users\Admin\2sun.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1168
-
-
C:\Users\Admin\2sun.exe"C:\Users\Admin\2sun.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2076
-
-
C:\Users\Admin\2sun.exe"C:\Users\Admin\2sun.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2360
-
-
C:\Users\Admin\2sun.exe"C:\Users\Admin\2sun.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4188
-
-
C:\Users\Admin\2sun.exe"C:\Users\Admin\2sun.exe"3⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 804⤵
- Program crash
PID:3172
-
-
-
-
C:\Users\Admin\3sun.exeC:\Users\Admin\3sun.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Local\05b64a10\X*0*bc*214d1ede*31.193.3.240:533⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵
- Modifies registry class
PID:1988
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del e1ac6db7c31fd23ef5b4d029a826ea97_JaffaCakes118.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2096 -ip 20961⤵PID:2256
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5cba16c1a489b02c4ff5720c68f35f787
SHA1bd3d817f02e1492d246c067a6ddf3e0ec33d86c3
SHA2560235b18287b0a3833cb877713019c2679a7699b2c848b16bfdf50244f8556e80
SHA51200740a1e2bd2bba0f4f2486914fe1c885064d5dc6389561697e357a354e8cdc6707f4bd542c02179020ef69c6d9f1d3503eaf0111bb9c1eba1a64a194cb9c345
-
Filesize
278KB
MD5345cbbd3a56a313f804b997f8cbecb2b
SHA19978d6f5bca8ab1486573ff073661e7cfd40c365
SHA256492c8cf86fcfa07fcf5716b17593a9ec265c5aa919c2fe563a34ece1580b055c
SHA5125cdb8b00ab0d653a34b3d1b2871ebeb0badfe223779dce775adf00d577a2931f77c1e6d92cda719e32a8683f6f729179f128472efdf6ec0ac18cbdbcfbbc237d
-
Filesize
38KB
MD572de2dadaf875e2fd7614e100419033c
SHA15f17c5330e91a42daa9ff24c4aa602bd1a72bf6e
SHA256c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381
SHA512e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3
-
Filesize
228KB
MD5290d691efc05b13247d2f6d8952a215b
SHA1a885524eae321c2d025dd8e2fe4c8dd76dfb0ca0
SHA25643b951fb64328c15a0592d228e90f05be14b4f18a902c35b5c0451020e1d82be
SHA5128dfdcdd93b47db1b490a80fd1c483e5f10d18d782f34562bf7313039040c69878fb1d6ad22f1b3d6e48dcc8db507c430f11b1a976b48f9cd1769400fba4c150e
-
Filesize
228KB
MD598508ec9d52a5c64a1e7419459559bb2
SHA187b72e0c4405712ef185b4b6b3da237706069d0f
SHA256674547eab79e7a3a9425049f87300135ee8b146a96143b3314b3f3b73203b07e
SHA51260721b8fca9ee0c90ea1bea417a0dec4bb50b6667e30b75f195a5b6bc51912e61c8a6cce17150a7e72d4a06c80781ed69a11cc060ed96934a169289081b78d9b