6f698266c445042f164294eb13f3bdae5a40d9d1fc806385e54ff7e68d9e40ae

Analysis

max time kernel
148s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
Size

1.4MB
MD5

ece45b41ad2da1b6a8461fcfc995a98a
SHA1

26888e6c55625762a1f56d4ef070bf93dd30ae1f
SHA256

6f698266c445042f164294eb13f3bdae5a40d9d1fc806385e54ff7e68d9e40ae
SHA512

7dca1ea6933ee1e4ee8b8782b8c6dc92b376ca038790707592a1bdbaaf3ab6dc06dbc1d07c02495844aed8e6d8b2d6841106d531917e503f3ced77468f70bb09
SSDEEP

24576:8Q8P/D6oeQKqCodL/HQWrfcEdpOpIB40NkJX+E7F+tim+EoUhsZxnt7NjjkKCGCz:8pP/jCoBwWrEFIZyJPyWjt7x1dzl9+

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Temp\svhost.exe = "C:\\Windows\\Temp\\svhost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\DC.exe = "C:\\Users\\Admin\\AppData\\Roaming\\DC.exe:*:Enabled:Windows Messanger"	reg.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32 .exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32 .exe	cmd.exe

Executes dropped EXE 40 IoCs

pid	Process
2764	svhost.exe
2888	%appdata%.exe
2752	svhost.exe
2744	svhost.exe
2636	svhost.exe
2404	rundll32 .exe
1408	svhost.exe
412	svhost.exe
2708	svhost.exe
1104	svhost.exe
1792	rundll32 .exe
2356	svhost.exe
1524	svhost.exe
1496	svhost.exe
1180	svhost.exe
2072	rundll32 .exe
1436	svhost.exe
880	svhost.exe
1536	svhost.exe
2064	svhost.exe
2532	rundll32 .exe
2704	svhost.exe
2584	svhost.exe
1164	svhost.exe
2436	svhost.exe
1788	rundll32 .exe
2556	svhost.exe
1144	svhost.exe
1868	svhost.exe
2340	svhost.exe
2336	rundll32 .exe
2384	svhost.exe
2808	svhost.exe
2884	svhost.exe
2868	svhost.exe
680	rundll32 .exe
2240	svhost.exe
1072	svhost.exe
2824	svhost.exe
1900	svhost.exe

Loads dropped DLL 14 IoCs

pid	Process
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Roaming\\rundll32 .exe"	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2336 set thread context of 2764	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	35
PID 2404 set thread context of 1408	2404	rundll32 .exe	58
PID 1792 set thread context of 2356	1792	rundll32 .exe	64
PID 2072 set thread context of 1436	2072	rundll32 .exe	70
PID 2532 set thread context of 2704	2532	rundll32 .exe	76
PID 1788 set thread context of 2556	1788	rundll32 .exe	83
PID 2336 set thread context of 2384	2336	rundll32 .exe	89
PID 680 set thread context of 2240	680	rundll32 .exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%appdata%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1848	PING.EXE
2664	PING.EXE
2708	PING.EXE
2884	PING.EXE
1292	PING.EXE
3052	PING.EXE
2712	PING.EXE

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1712	reg.exe
1100	reg.exe
604	reg.exe
2436	reg.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
1848	PING.EXE
2664	PING.EXE
2708	PING.EXE
2884	PING.EXE
1292	PING.EXE
3052	PING.EXE
2712	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
2404	rundll32 .exe
2404	rundll32 .exe
2404	rundll32 .exe
2404	rundll32 .exe
2404	rundll32 .exe
2404	rundll32 .exe
2404	rundll32 .exe
2404	rundll32 .exe
2404	rundll32 .exe
2404	rundll32 .exe
2404	rundll32 .exe
2404	rundll32 .exe
2404	rundll32 .exe
2404	rundll32 .exe
2404	rundll32 .exe
2404	rundll32 .exe
2404	rundll32 .exe
1792	rundll32 .exe
1792	rundll32 .exe
1792	rundll32 .exe
1792	rundll32 .exe
1792	rundll32 .exe
1792	rundll32 .exe
1792	rundll32 .exe
1792	rundll32 .exe
1792	rundll32 .exe
1792	rundll32 .exe
1792	rundll32 .exe
1792	rundll32 .exe
1792	rundll32 .exe
1792	rundll32 .exe
1792	rundll32 .exe
1792	rundll32 .exe
1792	rundll32 .exe
2072	rundll32 .exe
2072	rundll32 .exe
2072	rundll32 .exe
2072	rundll32 .exe
2072	rundll32 .exe
2072	rundll32 .exe
2072	rundll32 .exe
2072	rundll32 .exe
2072	rundll32 .exe
2072	rundll32 .exe
2072	rundll32 .exe
2072	rundll32 .exe
2072	rundll32 .exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
Token: 1	2764	svhost.exe
Token: SeCreateTokenPrivilege	2764	svhost.exe
Token: SeAssignPrimaryTokenPrivilege	2764	svhost.exe
Token: SeLockMemoryPrivilege	2764	svhost.exe
Token: SeIncreaseQuotaPrivilege	2764	svhost.exe
Token: SeMachineAccountPrivilege	2764	svhost.exe
Token: SeTcbPrivilege	2764	svhost.exe
Token: SeSecurityPrivilege	2764	svhost.exe
Token: SeTakeOwnershipPrivilege	2764	svhost.exe
Token: SeLoadDriverPrivilege	2764	svhost.exe
Token: SeSystemProfilePrivilege	2764	svhost.exe
Token: SeSystemtimePrivilege	2764	svhost.exe
Token: SeProfSingleProcessPrivilege	2764	svhost.exe
Token: SeIncBasePriorityPrivilege	2764	svhost.exe
Token: SeCreatePagefilePrivilege	2764	svhost.exe
Token: SeCreatePermanentPrivilege	2764	svhost.exe
Token: SeBackupPrivilege	2764	svhost.exe
Token: SeRestorePrivilege	2764	svhost.exe
Token: SeShutdownPrivilege	2764	svhost.exe
Token: SeDebugPrivilege	2764	svhost.exe
Token: SeAuditPrivilege	2764	svhost.exe
Token: SeSystemEnvironmentPrivilege	2764	svhost.exe
Token: SeChangeNotifyPrivilege	2764	svhost.exe
Token: SeRemoteShutdownPrivilege	2764	svhost.exe
Token: SeUndockPrivilege	2764	svhost.exe
Token: SeSyncAgentPrivilege	2764	svhost.exe
Token: SeEnableDelegationPrivilege	2764	svhost.exe
Token: SeManageVolumePrivilege	2764	svhost.exe
Token: SeImpersonatePrivilege	2764	svhost.exe
Token: SeCreateGlobalPrivilege	2764	svhost.exe
Token: 31	2764	svhost.exe
Token: 32	2764	svhost.exe
Token: 33	2764	svhost.exe
Token: 34	2764	svhost.exe
Token: 35	2764	svhost.exe
Token: SeDebugPrivilege	2404	rundll32 .exe
Token: SeDebugPrivilege	1792	rundll32 .exe
Token: SeDebugPrivilege	2072	rundll32 .exe
Token: SeDebugPrivilege	2532	rundll32 .exe
Token: SeDebugPrivilege	1788	rundll32 .exe
Token: SeDebugPrivilege	2336	rundll32 .exe
Token: SeDebugPrivilege	680	rundll32 .exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
2764	svhost.exe
2764	svhost.exe
2888	%appdata%.exe
2764	svhost.exe
2888	%appdata%.exe
1408	svhost.exe
1408	svhost.exe
2356	svhost.exe
2356	svhost.exe
1436	svhost.exe
1436	svhost.exe
2704	svhost.exe
2704	svhost.exe
2556	svhost.exe
2556	svhost.exe
2384	svhost.exe
2384	svhost.exe
2240	svhost.exe
2240	svhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2124	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2124	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2124	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2124	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2624	2124	cmd.exe	33
PID 2124 wrote to memory of 2624	2124	cmd.exe	33
PID 2124 wrote to memory of 2624	2124	cmd.exe	33
PID 2124 wrote to memory of 2624	2124	cmd.exe	33
PID 2336 wrote to memory of 2636	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	34
PID 2336 wrote to memory of 2636	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	34
PID 2336 wrote to memory of 2636	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	34
PID 2336 wrote to memory of 2636	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	34
PID 2336 wrote to memory of 2764	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	35
PID 2336 wrote to memory of 2764	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	35
PID 2336 wrote to memory of 2764	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	35
PID 2336 wrote to memory of 2764	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	35
PID 2336 wrote to memory of 2764	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	35
PID 2336 wrote to memory of 2764	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	35
PID 2336 wrote to memory of 2764	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	35
PID 2336 wrote to memory of 2764	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	35
PID 2336 wrote to memory of 2744	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	36
PID 2336 wrote to memory of 2744	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	36
PID 2336 wrote to memory of 2744	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	36
PID 2336 wrote to memory of 2744	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	36
PID 2336 wrote to memory of 2752	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	37
PID 2336 wrote to memory of 2752	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	37
PID 2336 wrote to memory of 2752	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	37
PID 2336 wrote to memory of 2752	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	37
PID 2336 wrote to memory of 2888	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	38
PID 2336 wrote to memory of 2888	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	38
PID 2336 wrote to memory of 2888	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	38
PID 2336 wrote to memory of 2888	2336	ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe	38
PID 2764 wrote to memory of 2348	2764	svhost.exe	39
PID 2764 wrote to memory of 2348	2764	svhost.exe	39
PID 2764 wrote to memory of 2348	2764	svhost.exe	39
PID 2764 wrote to memory of 2348	2764	svhost.exe	39
PID 2764 wrote to memory of 2588	2764	svhost.exe	40
PID 2764 wrote to memory of 2588	2764	svhost.exe	40
PID 2764 wrote to memory of 2588	2764	svhost.exe	40
PID 2764 wrote to memory of 2588	2764	svhost.exe	40
PID 2764 wrote to memory of 2528	2764	svhost.exe	42
PID 2764 wrote to memory of 2528	2764	svhost.exe	42
PID 2764 wrote to memory of 2528	2764	svhost.exe	42
PID 2764 wrote to memory of 2528	2764	svhost.exe	42
PID 2764 wrote to memory of 2548	2764	svhost.exe	43
PID 2764 wrote to memory of 2548	2764	svhost.exe	43
PID 2764 wrote to memory of 2548	2764	svhost.exe	43
PID 2764 wrote to memory of 2548	2764	svhost.exe	43
PID 2548 wrote to memory of 604	2548	cmd.exe	47
PID 2548 wrote to memory of 604	2548	cmd.exe	47
PID 2548 wrote to memory of 604	2548	cmd.exe	47
PID 2548 wrote to memory of 604	2548	cmd.exe	47
PID 2348 wrote to memory of 2436	2348	cmd.exe	48
PID 2348 wrote to memory of 2436	2348	cmd.exe	48
PID 2348 wrote to memory of 2436	2348	cmd.exe	48
PID 2348 wrote to memory of 2436	2348	cmd.exe	48
PID 2588 wrote to memory of 1712	2588	cmd.exe	49
PID 2588 wrote to memory of 1712	2588	cmd.exe	49
PID 2588 wrote to memory of 1712	2588	cmd.exe	49
PID 2588 wrote to memory of 1712	2588	cmd.exe	49
PID 2528 wrote to memory of 1100	2528	cmd.exe	50
PID 2528 wrote to memory of 1100	2528	cmd.exe	50
PID 2528 wrote to memory of 1100	2528	cmd.exe	50
PID 2528 wrote to memory of 1100	2528	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ece45b41ad2da1b6a8461fcfc995a98a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\java.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Roaming\invs.vbs" "C:\Users\Admin\AppData\Roaming\java2.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\java2.bat" "
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      PID:1644
- C:\Windows\Temp\svhost.exe
  C:\Windows\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\Temp\svhost.exe
  C:\Windows\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\svhost.exe" /t REG_SZ /d "C:\Windows\Temp\svhost.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\svhost.exe" /t REG_SZ /d "C:\Windows\Temp\svhost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DC.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DC.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DC.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DC.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:604
- C:\Windows\Temp\svhost.exe
  C:\Windows\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\Temp\svhost.exe
  C:\Windows\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Users\Admin\AppData\Local\Temp\%appdata%.exe
  "C:\Users\Admin\AppData\Local\Temp\%appdata%.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\per.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2036
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 5000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2884
- - C:\Users\Admin\AppData\Roaming\rundll32 .exe
    "C:\Users\Admin\AppData\Roaming\rundll32 .exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:2708
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1408
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:412
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:1104
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 5000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1292
- - C:\Users\Admin\AppData\Roaming\rundll32 .exe
    "C:\Users\Admin\AppData\Roaming\rundll32 .exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:1496
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2356
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:1524
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:1180
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 5000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3052
- - C:\Users\Admin\AppData\Roaming\rundll32 .exe
    "C:\Users\Admin\AppData\Roaming\rundll32 .exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:880
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1436
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:2064
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:1536
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 5000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2712
- - C:\Users\Admin\AppData\Roaming\rundll32 .exe
    "C:\Users\Admin\AppData\Roaming\rundll32 .exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:2584
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2704
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:1164
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:2436
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 5000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1848
- - C:\Users\Admin\AppData\Roaming\rundll32 .exe
    "C:\Users\Admin\AppData\Roaming\rundll32 .exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:1868
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2556
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:2340
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:1144
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 5000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2664
- - C:\Users\Admin\AppData\Roaming\rundll32 .exe
    "C:\Users\Admin\AppData\Roaming\rundll32 .exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:2884
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2384
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:2868
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:2808
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 5000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2708
- - C:\Users\Admin\AppData\Roaming\rundll32 .exe
    "C:\Users\Admin\AppData\Roaming\rundll32 .exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:680
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:2824
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2240
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:1072
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\%appdata%.exe

Filesize
296KB

MD5
5fa00b54af72695a1263b7be9e9a669b

SHA1
4a50ecb9b95d74a59f55e3d7429bd6df45aaa687

SHA256
32173c5e09f26a2e8c96a153c5806df121fa37fef3c6f38a7d1c86c3cf2aab81

SHA512
188c0c2c5f663612d7fdbdd7dafd09d4e1f87c75e6756558034c55b96938c6c259bced60292bac7178cf33ed55bb5b013f295e0d37fd65cd7ecc309a603bbb78

Download Submit
C:\Users\Admin\AppData\Roaming\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\java.bat

Filesize
53B

MD5
1896de26a454df8628034ca3e0649905

SHA1
76b98d95a85d043539706b89194c46cf14464abe

SHA256
d85e713743c7e622166fb0f79478de5eabd53d3fe92bd2011ab441bc85ef2208

SHA512
ef69dacd7e717dff05f8a70c5b9a94011f2df3201cc41d5f8cc030f350b069dc090c5b0d3d0bd19098a187977a82d570e1ee153849f609a65889ba789da953d2

Download Submit
C:\Users\Admin\AppData\Roaming\java2.bat

Filesize
160B

MD5
e8170b6565dfb34d114cfa398ba77296

SHA1
9079335b0ec9a509b7344cb98713fc0b52afa36e

SHA256
76ff7c88cc815c8acd61f835033baf5b92eee085e7316c7230f7c363d1e1974b

SHA512
1b473fe0a68642ff1741f4619f819b040f8d54696d40e74dd9ad692b56729e455bbe54cb76b382bb1fce5e1eae97dd8c99aeb762915f7147bba59d0ba60d004d

Download Submit
C:\Users\Admin\AppData\Roaming\per.bat

Filesize
108B

MD5
7f8f770195ead2e737a66a370f122505

SHA1
6d8b89545218af69ee325b19efd1456162971fa1

SHA256
0ea43eae1c80a681e987d8306d03b0375ddd63861f9930501b64284db6682971

SHA512
002615491c12b43873dc9c2f54e35cb3091d99f6734ccd2d6b8ce663b0c7999a957b4122dfdfbd77869fa91bb679a50be9387ac440821367c554c84a11edf148

Download Submit
C:\Users\Admin\AppData\Roaming\rundll32-.txt

Filesize
1.4MB

MD5
ece45b41ad2da1b6a8461fcfc995a98a

SHA1
26888e6c55625762a1f56d4ef070bf93dd30ae1f

SHA256
6f698266c445042f164294eb13f3bdae5a40d9d1fc806385e54ff7e68d9e40ae

SHA512
7dca1ea6933ee1e4ee8b8782b8c6dc92b376ca038790707592a1bdbaaf3ab6dc06dbc1d07c02495844aed8e6d8b2d6841106d531917e503f3ced77468f70bb09

Download Submit
C:\Windows\Temp\svhost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/1408-102-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/1408-103-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1436-143-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2336-0-0x0000000074D21000-0x0000000074D22000-memory.dmp

Filesize
4KB

Download
memory/2336-5-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2336-1-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2336-2-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2336-83-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2336-71-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2356-123-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2556-180-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2704-160-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2764-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2764-73-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2764-72-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2764-104-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2764-106-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2764-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2764-126-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2764-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2764-144-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2764-145-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2764-31-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2764-164-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2764-166-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2764-35-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2764-184-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2764-185-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download