Analysis
-
max time kernel
129s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-09-2024 02:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e82089d7aaed18cfb194e002ad1a2877_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e82089d7aaed18cfb194e002ad1a2877_JaffaCakes118.exe
Resource
win10v2004-20240910-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
e82089d7aaed18cfb194e002ad1a2877_JaffaCakes118.exe
-
Size
30KB
-
MD5
e82089d7aaed18cfb194e002ad1a2877
-
SHA1
badebd19433e7ac3e25aab76a931444700334565
-
SHA256
c7be6a021e8c60656ec1ce97e95270f5f30755973b6d66468d51e58ecd6db7d8
-
SHA512
2b407cad6af7e815fa70be6601b3ada58a7e7e272b7546ff13b3bcc342eea1991c51fa4213c6e15557089983f18074783730aadb2b2389b41025b6f33811f307
-
SSDEEP
768:06NFd1MyFqBHSr9tMLkGiIiuuOk0/br3HoU0:0YX15FkCciI7k0T750
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 64 IoCs
resource yara_rule behavioral1/memory/1352-16-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2904-24-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2376-30-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/1352-34-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2292-29-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/1744-39-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2292-42-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2684-50-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2436-55-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2740-59-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2852-64-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2748-66-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2852-69-0x0000000000320000-0x0000000000348000-memory.dmp modiloader_stage2 behavioral1/memory/2876-74-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2708-77-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2708-82-0x0000000000220000-0x0000000000248000-memory.dmp modiloader_stage2 behavioral1/memory/2864-80-0x00000000003C0000-0x00000000003E8000-memory.dmp modiloader_stage2 behavioral1/memory/2908-84-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/1128-92-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2872-91-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2864-95-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2624-103-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/1908-100-0x0000000000330000-0x0000000000358000-memory.dmp modiloader_stage2 behavioral1/memory/1908-99-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/1536-108-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2560-113-0x0000000000220000-0x0000000000248000-memory.dmp modiloader_stage2 behavioral1/memory/2560-112-0x0000000000220000-0x0000000000248000-memory.dmp modiloader_stage2 behavioral1/memory/1128-111-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/1944-119-0x0000000000220000-0x0000000000248000-memory.dmp modiloader_stage2 behavioral1/memory/2368-118-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2560-120-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2548-123-0x00000000002C0000-0x00000000002E8000-memory.dmp modiloader_stage2 behavioral1/memory/840-122-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2560-121-0x0000000000220000-0x0000000000248000-memory.dmp modiloader_stage2 behavioral1/memory/2944-126-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/1944-124-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2228-127-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2548-128-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/1680-129-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2920-130-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/852-132-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2332-134-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/852-133-0x00000000002B0000-0x00000000002D8000-memory.dmp modiloader_stage2 behavioral1/memory/2964-135-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2164-137-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/1324-136-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/852-138-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2332-140-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/1828-143-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/1828-144-0x0000000000320000-0x0000000000348000-memory.dmp modiloader_stage2 behavioral1/memory/1208-147-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/1324-146-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/1956-148-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2576-149-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/1776-151-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/1208-152-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2572-154-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2576-155-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2176-156-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/1992-158-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2236-159-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2408-160-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2552-161-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 behavioral1/memory/2176-163-0x0000000000400000-0x0000000000428000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
pid Process 15376 Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2376 svvosts.exe 1352 svvosts.exe 1744 svvosts.exe 2292 svvosts.exe 2684 svvosts.exe 2436 svvosts.exe 2740 svvosts.exe 2852 svvosts.exe 2748 svvosts.exe 2876 svvosts.exe 2708 svvosts.exe 2908 svvosts.exe 2872 svvosts.exe 2864 svvosts.exe 2624 svvosts.exe 1536 svvosts.exe 1128 svvosts.exe 1908 svvosts.exe 2368 svvosts.exe 2560 svvosts.exe 840 svvosts.exe 1944 svvosts.exe 2944 svvosts.exe 2548 svvosts.exe 1680 svvosts.exe 2920 svvosts.exe 2228 svvosts.exe 2964 svvosts.exe 2164 svvosts.exe 852 svvosts.exe 2332 svvosts.exe 1828 svvosts.exe 1324 svvosts.exe 1956 svvosts.exe 1776 svvosts.exe 1208 svvosts.exe 2572 svvosts.exe 2576 svvosts.exe 1992 svvosts.exe 2236 svvosts.exe 2408 svvosts.exe 2176 svvosts.exe 3012 svvosts.exe 2396 svvosts.exe 2552 svvosts.exe 1952 svvosts.exe 2416 svvosts.exe 1732 svvosts.exe 1664 svvosts.exe 984 svvosts.exe 1916 svvosts.exe 272 svvosts.exe 888 svvosts.exe 2168 svvosts.exe 1548 svvosts.exe 1656 svvosts.exe 596 svvosts.exe 1372 svvosts.exe 1420 svvosts.exe 832 svvosts.exe 608 svvosts.exe 2148 svvosts.exe 1228 svvosts.exe 1708 svvosts.exe -
Loads dropped DLL 64 IoCs
pid Process 2904 e82089d7aaed18cfb194e002ad1a2877_JaffaCakes118.exe 2904 e82089d7aaed18cfb194e002ad1a2877_JaffaCakes118.exe 2376 svvosts.exe 2376 svvosts.exe 1352 svvosts.exe 1352 svvosts.exe 1744 svvosts.exe 1744 svvosts.exe 2292 svvosts.exe 2292 svvosts.exe 2684 svvosts.exe 2684 svvosts.exe 2436 svvosts.exe 2436 svvosts.exe 2740 svvosts.exe 2740 svvosts.exe 2852 svvosts.exe 2852 svvosts.exe 2748 svvosts.exe 2748 svvosts.exe 2876 svvosts.exe 2876 svvosts.exe 2708 svvosts.exe 2708 svvosts.exe 2908 svvosts.exe 2908 svvosts.exe 2872 svvosts.exe 2872 svvosts.exe 2864 svvosts.exe 2864 svvosts.exe 2624 svvosts.exe 2624 svvosts.exe 1536 svvosts.exe 1536 svvosts.exe 1128 svvosts.exe 1128 svvosts.exe 1908 svvosts.exe 1908 svvosts.exe 2368 svvosts.exe 2368 svvosts.exe 2560 svvosts.exe 2560 svvosts.exe 840 svvosts.exe 840 svvosts.exe 1944 svvosts.exe 1944 svvosts.exe 2944 svvosts.exe 2944 svvosts.exe 2548 svvosts.exe 2548 svvosts.exe 1680 svvosts.exe 1680 svvosts.exe 2920 svvosts.exe 2920 svvosts.exe 2228 svvosts.exe 2228 svvosts.exe 2964 svvosts.exe 2964 svvosts.exe 2164 svvosts.exe 2164 svvosts.exe 852 svvosts.exe 852 svvosts.exe 2332 svvosts.exe 2332 svvosts.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\svvosts.exe svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe Process not Found File opened for modification C:\Windows\SysWOW64\$$a.bat svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe Process not Found File created C:\Windows\SysWOW64\$$a.bat svvosts.exe File created C:\Windows\SysWOW64\$$a.bat Process not Found File created C:\Windows\SysWOW64\svvosts.exe svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe Process not Found File opened for modification C:\Windows\SysWOW64\$$a.bat Process not Found File created C:\Windows\SysWOW64\$$a.bat Process not Found File created C:\Windows\SysWOW64\$$a.bat svvosts.exe File opened for modification C:\Windows\SysWOW64\$$a.bat svvosts.exe File created C:\Windows\SysWOW64\$$a.bat Process not Found File created C:\Windows\SysWOW64\svvosts.exe svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe Process not Found File created C:\Windows\SysWOW64\svvosts.exe Process not Found File opened for modification C:\Windows\SysWOW64\$$a.bat svvosts.exe File opened for modification C:\Windows\SysWOW64\$$a.bat svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe svvosts.exe File opened for modification C:\Windows\SysWOW64\$$a.bat svvosts.exe File opened for modification C:\Windows\SysWOW64\$$a.bat svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe svvosts.exe File opened for modification C:\Windows\SysWOW64\$$a.bat Process not Found File created C:\Windows\SysWOW64\svvosts.exe Process not Found File created C:\Windows\SysWOW64\svvosts.exe Process not Found File created C:\Windows\SysWOW64\$$a.bat svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe svvosts.exe File opened for modification C:\Windows\SysWOW64\$$a.bat svvosts.exe File opened for modification C:\Windows\SysWOW64\$$a.bat svvosts.exe File opened for modification C:\Windows\SysWOW64\$$a.bat Process not Found File opened for modification C:\Windows\SysWOW64\$$a.bat Process not Found File created C:\Windows\SysWOW64\svvosts.exe svvosts.exe File opened for modification C:\Windows\SysWOW64\$$a.bat svvosts.exe File opened for modification C:\Windows\SysWOW64\$$a.bat svvosts.exe File opened for modification C:\Windows\SysWOW64\$$a.bat svvosts.exe File created C:\Windows\SysWOW64\$$a.bat svvosts.exe File opened for modification C:\Windows\SysWOW64\$$a.bat Process not Found File created C:\Windows\SysWOW64\svvosts.exe svvosts.exe File opened for modification C:\Windows\SysWOW64\$$a.bat svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe Process not Found File created C:\Windows\SysWOW64\$$a.bat svvosts.exe File created C:\Windows\SysWOW64\$$a.bat svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe Process not Found File created C:\Windows\SysWOW64\svvosts.exe Process not Found File created C:\Windows\SysWOW64\$$a.bat svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe Process not Found File opened for modification C:\Windows\SysWOW64\$$a.bat Process not Found File opened for modification C:\Windows\SysWOW64\$$a.bat Process not Found File opened for modification C:\Windows\SysWOW64\$$a.bat svvosts.exe File opened for modification C:\Windows\SysWOW64\$$a.bat Process not Found File created C:\Windows\SysWOW64\svvosts.exe svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe svvosts.exe File created C:\Windows\SysWOW64\svvosts.exe Process not Found File created C:\Windows\SysWOW64\$$a.bat Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svvosts.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2904 wrote to memory of 2376 2904 e82089d7aaed18cfb194e002ad1a2877_JaffaCakes118.exe 29 PID 2904 wrote to memory of 2376 2904 e82089d7aaed18cfb194e002ad1a2877_JaffaCakes118.exe 29 PID 2904 wrote to memory of 2376 2904 e82089d7aaed18cfb194e002ad1a2877_JaffaCakes118.exe 29 PID 2904 wrote to memory of 2376 2904 e82089d7aaed18cfb194e002ad1a2877_JaffaCakes118.exe 29 PID 2376 wrote to memory of 1352 2376 svvosts.exe 30 PID 2376 wrote to memory of 1352 2376 svvosts.exe 30 PID 2376 wrote to memory of 1352 2376 svvosts.exe 30 PID 2376 wrote to memory of 1352 2376 svvosts.exe 30 PID 1352 wrote to memory of 1744 1352 svvosts.exe 31 PID 1352 wrote to memory of 1744 1352 svvosts.exe 31 PID 1352 wrote to memory of 1744 1352 svvosts.exe 31 PID 1352 wrote to memory of 1744 1352 svvosts.exe 31 PID 1744 wrote to memory of 2292 1744 svvosts.exe 32 PID 1744 wrote to memory of 2292 1744 svvosts.exe 32 PID 1744 wrote to memory of 2292 1744 svvosts.exe 32 PID 1744 wrote to memory of 2292 1744 svvosts.exe 32 PID 2292 wrote to memory of 2684 2292 svvosts.exe 33 PID 2292 wrote to memory of 2684 2292 svvosts.exe 33 PID 2292 wrote to memory of 2684 2292 svvosts.exe 33 PID 2292 wrote to memory of 2684 2292 svvosts.exe 33 PID 2684 wrote to memory of 2436 2684 svvosts.exe 34 PID 2684 wrote to memory of 2436 2684 svvosts.exe 34 PID 2684 wrote to memory of 2436 2684 svvosts.exe 34 PID 2684 wrote to memory of 2436 2684 svvosts.exe 34 PID 2436 wrote to memory of 2740 2436 svvosts.exe 35 PID 2436 wrote to memory of 2740 2436 svvosts.exe 35 PID 2436 wrote to memory of 2740 2436 svvosts.exe 35 PID 2436 wrote to memory of 2740 2436 svvosts.exe 35 PID 2740 wrote to memory of 2852 2740 svvosts.exe 36 PID 2740 wrote to memory of 2852 2740 svvosts.exe 36 PID 2740 wrote to memory of 2852 2740 svvosts.exe 36 PID 2740 wrote to memory of 2852 2740 svvosts.exe 36 PID 2852 wrote to memory of 2748 2852 svvosts.exe 37 PID 2852 wrote to memory of 2748 2852 svvosts.exe 37 PID 2852 wrote to memory of 2748 2852 svvosts.exe 37 PID 2852 wrote to memory of 2748 2852 svvosts.exe 37 PID 2748 wrote to memory of 2876 2748 svvosts.exe 38 PID 2748 wrote to memory of 2876 2748 svvosts.exe 38 PID 2748 wrote to memory of 2876 2748 svvosts.exe 38 PID 2748 wrote to memory of 2876 2748 svvosts.exe 38 PID 2876 wrote to memory of 2708 2876 svvosts.exe 39 PID 2876 wrote to memory of 2708 2876 svvosts.exe 39 PID 2876 wrote to memory of 2708 2876 svvosts.exe 39 PID 2876 wrote to memory of 2708 2876 svvosts.exe 39 PID 2708 wrote to memory of 2908 2708 svvosts.exe 40 PID 2708 wrote to memory of 2908 2708 svvosts.exe 40 PID 2708 wrote to memory of 2908 2708 svvosts.exe 40 PID 2708 wrote to memory of 2908 2708 svvosts.exe 40 PID 2908 wrote to memory of 2872 2908 svvosts.exe 41 PID 2908 wrote to memory of 2872 2908 svvosts.exe 41 PID 2908 wrote to memory of 2872 2908 svvosts.exe 41 PID 2908 wrote to memory of 2872 2908 svvosts.exe 41 PID 2872 wrote to memory of 2864 2872 svvosts.exe 42 PID 2872 wrote to memory of 2864 2872 svvosts.exe 42 PID 2872 wrote to memory of 2864 2872 svvosts.exe 42 PID 2872 wrote to memory of 2864 2872 svvosts.exe 42 PID 2864 wrote to memory of 2624 2864 svvosts.exe 43 PID 2864 wrote to memory of 2624 2864 svvosts.exe 43 PID 2864 wrote to memory of 2624 2864 svvosts.exe 43 PID 2864 wrote to memory of 2624 2864 svvosts.exe 43 PID 2624 wrote to memory of 1536 2624 svvosts.exe 44 PID 2624 wrote to memory of 1536 2624 svvosts.exe 44 PID 2624 wrote to memory of 1536 2624 svvosts.exe 44 PID 2624 wrote to memory of 1536 2624 svvosts.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\e82089d7aaed18cfb194e002ad1a2877_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e82089d7aaed18cfb194e002ad1a2877_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1128 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1908 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:840 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe33⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe34⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe35⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe36⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe37⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe38⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe39⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe40⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe41⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe42⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe43⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe44⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe45⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe46⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe47⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe48⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe49⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe50⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe51⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe52⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe53⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe54⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe55⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe56⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe57⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe58⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe60⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe61⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe62⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe63⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe64⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe65⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe66⤵PID:3036
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe67⤵PID:2980
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe68⤵PID:1088
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe69⤵PID:328
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe70⤵PID:2112
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe71⤵PID:2400
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe72⤵PID:880
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe73⤵PID:2676
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe74⤵PID:2524
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe75⤵PID:2768
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe76⤵PID:2340
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe77⤵PID:1620
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe78⤵PID:1624
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe79⤵PID:1628
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe80⤵PID:1948
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe81⤵PID:1204
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe82⤵PID:1296
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe83⤵PID:2200
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe84⤵PID:2220
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe85⤵PID:2208
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe86⤵PID:2276
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe87⤵PID:2736
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe88⤵PID:2832
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe89⤵PID:2848
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe90⤵PID:2716
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe91⤵PID:2052
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe92⤵PID:2880
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe93⤵PID:1724
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe94⤵PID:2224
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe95⤵PID:2704
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe96⤵PID:2596
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe97⤵PID:2612
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe98⤵PID:2712
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe99⤵PID:2644
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe100⤵PID:2152
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe101⤵PID:2504
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe102⤵PID:2280
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe103⤵PID:1996
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe104⤵PID:1988
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe105⤵PID:1644
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe106⤵PID:1492
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe107⤵PID:2024
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe108⤵PID:2448
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe109⤵PID:1164
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe110⤵PID:2652
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe111⤵PID:3044
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe112⤵PID:480
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe113⤵PID:900
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe114⤵PID:1008
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe115⤵PID:1444
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe116⤵PID:1572
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe117⤵
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe118⤵PID:1720
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe120⤵PID:3008
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe121⤵PID:1936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-