Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 16:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe
-
Size
680KB
-
MD5
edfb253bb20650ad6d5e01d2b8f6d385
-
SHA1
542ba1671532e6d797a8877f6facfa4e7b77983b
-
SHA256
1dbc50d081f9780db588770d2df0753b9738a89aaf2d698a364b781e2576dc43
-
SHA512
b85739f2f5aec30ef1d02d82e0926a05c093b71f84e0c5bacabb7eefabbaefcd1647890470ffd84be7c93eca3042d94dbadef05b0b45b707316bae8e8c8dc880
-
SSDEEP
12288:zClephVMo7IYJAB++2RrxRAjbeNC2v+clES+vYOqH:+OhKpYyB/MrxRAZMES+b+
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\d2f57668\\X" Explorer.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" GFW6ssUz.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hiejuad.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts 4kaq.exe -
Deletes itself 1 IoCs
pid Process 2508 cmd.exe -
Executes dropped EXE 12 IoCs
pid Process 2792 GFW6ssUz.exe 2896 hiejuad.exe 1784 2kaq.exe 984 2kaq.exe 2916 2kaq.exe 2348 2kaq.exe 3016 2kaq.exe 2976 2kaq.exe 3000 3kaq.exe 332 csrss.exe 1912 X 1976 4kaq.exe -
Loads dropped DLL 12 IoCs
pid Process 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe 2792 GFW6ssUz.exe 2792 GFW6ssUz.exe 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe 3000 3kaq.exe 3000 3kaq.exe 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/984-45-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2916-54-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2916-64-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/984-63-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2916-61-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2916-60-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/984-56-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/984-55-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2916-50-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2916-48-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/984-42-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/984-40-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/3016-78-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/3016-88-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2348-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2348-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3016-86-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2348-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3016-83-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2348-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3016-76-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2348-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/984-135-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2348-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3016-143-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/files/0x0005000000018712-156.dat upx behavioral1/memory/2732-163-0x0000000002AE0000-0x00000000031F9000-memory.dmp upx behavioral1/memory/1976-164-0x0000000000400000-0x0000000000B19000-memory.dmp upx behavioral1/memory/1976-171-0x0000000000400000-0x0000000000B19000-memory.dmp upx -
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 -
Adds Run key to start application 2 TTPs 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /n" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /a" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /f" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /B" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /P" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /q" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /x" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /t" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /k" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /L" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /U" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /I" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Init = "\"C:\\Users\\Admin\\AppData\\Roaming\\xvytcjjgj3vgwmrluluzvxrb2pavg2qe2\\svcnost.exe\"" 4kaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /V" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /o" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /r" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /c" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /J" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /O" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /N" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /S" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /m" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /Q" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /F" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /z" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /u" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /T" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /R" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /K" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /Y" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /w" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /b" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /l" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /e" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /Z" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /i" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /C" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /H" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /s" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /E" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /X" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /J" GFW6ssUz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /v" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /A" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /y" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /p" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /d" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /j" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /W" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /h" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /D" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /M" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /g" hiejuad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiejuad = "C:\\Users\\Admin\\hiejuad.exe /G" hiejuad.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2kaq.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2kaq.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2600 tasklist.exe 2140 tasklist.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 1784 set thread context of 984 1784 2kaq.exe 37 PID 1784 set thread context of 2916 1784 2kaq.exe 38 PID 1784 set thread context of 2348 1784 2kaq.exe 39 PID 1784 set thread context of 3016 1784 2kaq.exe 40 PID 1784 set thread context of 2976 1784 2kaq.exe 41 PID 3000 set thread context of 1740 3000 3kaq.exe 46 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2kaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GFW6ssUz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hiejuad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2kaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2kaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3kaq.exe -
Modifies registry class 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c083cd7f-4678-8cf0-12c0-a23b769d6830}\cid = "10767521908083790815" 3kaq.exe Key created \registry\machine\Software\Classes\Interface\{c083cd7f-4678-8cf0-12c0-a23b769d6830} 3kaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c083cd7f-4678-8cf0-12c0-a23b769d6830}\u = "188" 3kaq.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2792 GFW6ssUz.exe 2792 GFW6ssUz.exe 2916 2kaq.exe 2348 2kaq.exe 3000 3kaq.exe 3000 3kaq.exe 3000 3kaq.exe 3000 3kaq.exe 1912 X 2896 hiejuad.exe 2348 2kaq.exe 2896 hiejuad.exe 2916 2kaq.exe 2896 hiejuad.exe 2896 hiejuad.exe 2896 hiejuad.exe 2916 2kaq.exe 2896 hiejuad.exe 2916 2kaq.exe 2916 2kaq.exe 2896 hiejuad.exe 2896 hiejuad.exe 2896 hiejuad.exe 2916 2kaq.exe 2896 hiejuad.exe 2916 2kaq.exe 2896 hiejuad.exe 2916 2kaq.exe 2896 hiejuad.exe 2896 hiejuad.exe 2916 2kaq.exe 2896 hiejuad.exe 2916 2kaq.exe 2916 2kaq.exe 2896 hiejuad.exe 2916 2kaq.exe 2916 2kaq.exe 2896 hiejuad.exe 2896 hiejuad.exe 2916 2kaq.exe 2916 2kaq.exe 2896 hiejuad.exe 2916 2kaq.exe 2896 hiejuad.exe 2896 hiejuad.exe 2916 2kaq.exe 2916 2kaq.exe 2916 2kaq.exe 2896 hiejuad.exe 2916 2kaq.exe 2896 hiejuad.exe 2916 2kaq.exe 2896 hiejuad.exe 2896 hiejuad.exe 2916 2kaq.exe 2916 2kaq.exe 2916 2kaq.exe 2896 hiejuad.exe 2916 2kaq.exe 2916 2kaq.exe 2916 2kaq.exe 2896 hiejuad.exe 2896 hiejuad.exe 2896 hiejuad.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2600 tasklist.exe Token: SeDebugPrivilege 3000 3kaq.exe Token: SeDebugPrivilege 3000 3kaq.exe Token: SeDebugPrivilege 2140 tasklist.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe 2792 GFW6ssUz.exe 2896 hiejuad.exe 1784 2kaq.exe 984 2kaq.exe 3016 2kaq.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 332 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2732 wrote to memory of 2792 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe 30 PID 2732 wrote to memory of 2792 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe 30 PID 2732 wrote to memory of 2792 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe 30 PID 2732 wrote to memory of 2792 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe 30 PID 2792 wrote to memory of 2896 2792 GFW6ssUz.exe 31 PID 2792 wrote to memory of 2896 2792 GFW6ssUz.exe 31 PID 2792 wrote to memory of 2896 2792 GFW6ssUz.exe 31 PID 2792 wrote to memory of 2896 2792 GFW6ssUz.exe 31 PID 2792 wrote to memory of 2636 2792 GFW6ssUz.exe 32 PID 2792 wrote to memory of 2636 2792 GFW6ssUz.exe 32 PID 2792 wrote to memory of 2636 2792 GFW6ssUz.exe 32 PID 2792 wrote to memory of 2636 2792 GFW6ssUz.exe 32 PID 2636 wrote to memory of 2600 2636 cmd.exe 34 PID 2636 wrote to memory of 2600 2636 cmd.exe 34 PID 2636 wrote to memory of 2600 2636 cmd.exe 34 PID 2636 wrote to memory of 2600 2636 cmd.exe 34 PID 2732 wrote to memory of 1784 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe 36 PID 2732 wrote to memory of 1784 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe 36 PID 2732 wrote to memory of 1784 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe 36 PID 2732 wrote to memory of 1784 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe 36 PID 1784 wrote to memory of 984 1784 2kaq.exe 37 PID 1784 wrote to memory of 984 1784 2kaq.exe 37 PID 1784 wrote to memory of 984 1784 2kaq.exe 37 PID 1784 wrote to memory of 984 1784 2kaq.exe 37 PID 1784 wrote to memory of 984 1784 2kaq.exe 37 PID 1784 wrote to memory of 984 1784 2kaq.exe 37 PID 1784 wrote to memory of 984 1784 2kaq.exe 37 PID 1784 wrote to memory of 984 1784 2kaq.exe 37 PID 1784 wrote to memory of 2916 1784 2kaq.exe 38 PID 1784 wrote to memory of 2916 1784 2kaq.exe 38 PID 1784 wrote to memory of 2916 1784 2kaq.exe 38 PID 1784 wrote to memory of 2916 1784 2kaq.exe 38 PID 1784 wrote to memory of 2916 1784 2kaq.exe 38 PID 1784 wrote to memory of 2916 1784 2kaq.exe 38 PID 1784 wrote to memory of 2916 1784 2kaq.exe 38 PID 1784 wrote to memory of 2916 1784 2kaq.exe 38 PID 1784 wrote to memory of 2348 1784 2kaq.exe 39 PID 1784 wrote to memory of 2348 1784 2kaq.exe 39 PID 1784 wrote to memory of 2348 1784 2kaq.exe 39 PID 1784 wrote to memory of 2348 1784 2kaq.exe 39 PID 1784 wrote to memory of 2348 1784 2kaq.exe 39 PID 1784 wrote to memory of 2348 1784 2kaq.exe 39 PID 1784 wrote to memory of 2348 1784 2kaq.exe 39 PID 1784 wrote to memory of 2348 1784 2kaq.exe 39 PID 1784 wrote to memory of 3016 1784 2kaq.exe 40 PID 1784 wrote to memory of 3016 1784 2kaq.exe 40 PID 1784 wrote to memory of 3016 1784 2kaq.exe 40 PID 1784 wrote to memory of 3016 1784 2kaq.exe 40 PID 1784 wrote to memory of 3016 1784 2kaq.exe 40 PID 1784 wrote to memory of 3016 1784 2kaq.exe 40 PID 1784 wrote to memory of 3016 1784 2kaq.exe 40 PID 1784 wrote to memory of 3016 1784 2kaq.exe 40 PID 1784 wrote to memory of 2976 1784 2kaq.exe 41 PID 1784 wrote to memory of 2976 1784 2kaq.exe 41 PID 1784 wrote to memory of 2976 1784 2kaq.exe 41 PID 1784 wrote to memory of 2976 1784 2kaq.exe 41 PID 1784 wrote to memory of 2976 1784 2kaq.exe 41 PID 2732 wrote to memory of 3000 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe 42 PID 2732 wrote to memory of 3000 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe 42 PID 2732 wrote to memory of 3000 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe 42 PID 2732 wrote to memory of 3000 2732 edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe 42 PID 3000 wrote to memory of 1200 3000 3kaq.exe 21 PID 3000 wrote to memory of 332 3000 3kaq.exe 2 PID 3000 wrote to memory of 1912 3000 3kaq.exe 43
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:332
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies WinLogon for persistence
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\GFW6ssUz.exeC:\Users\Admin\GFW6ssUz.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\hiejuad.exe"C:\Users\Admin\hiejuad.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2896
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del GFW6ssUz.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
-
-
C:\Users\Admin\2kaq.exeC:\Users\Admin\2kaq.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\2kaq.exe"C:\Users\Admin\2kaq.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:984
-
-
C:\Users\Admin\2kaq.exe"C:\Users\Admin\2kaq.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2916
-
-
C:\Users\Admin\2kaq.exe"C:\Users\Admin\2kaq.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2348
-
-
C:\Users\Admin\2kaq.exe"C:\Users\Admin\2kaq.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3016
-
-
C:\Users\Admin\2kaq.exe"C:\Users\Admin\2kaq.exe"4⤵
- Executes dropped EXE
PID:2976
-
-
-
C:\Users\Admin\3kaq.exeC:\Users\Admin\3kaq.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\d2f57668\X*0*bc*6a9213df*31.193.3.240:534⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1912
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1740
-
-
-
C:\Users\Admin\4kaq.exeC:\Users\Admin\4kaq.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
PID:1976
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del edfb253bb20650ad6d5e01d2b8f6d385_JaffaCakes118.exe3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1528
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵PID:1188
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD5d7dbb57f65cb963477a8fa11714ec0be
SHA1756d29032644973b9f48980a1e30448206811119
SHA25694242fda567e2b4dc0be9d4ca5370ff0ddee2d25751dd191c3fed995837c10ec
SHA5121db3577abd73c8c8667da426faedf63ad9c7a75462cbeac0be19a525690baaa9f1d8446d3b804abbf24550d73cbefecf6c77c224539e8dd5db37f34f7e975fdc
-
Filesize
277KB
MD500b72668c42555c6d9e3cee383730fc0
SHA1509a7c39baf2b9a46813c641cca687b37e244d5a
SHA256baaacce5c3f18154d4925ec6568ccf66f4ab9ee5477bd0faf44f08d9397641dd
SHA5121bfa5cd6081a5e8556b452cf4741831da829fcc9e2b51c77c92a4fdacfa1b934d14bc049f8185be09b1447664f55956f69e7fd16a868c9655eb32f9b9ef02e78
-
Filesize
120KB
MD5ee3508d5206de400e5792c826ae71aae
SHA1b448132f604b7e886343b911cc56371a7f251c04
SHA256f6226f935ea3d5ecc4be3ccf6a59caff31ed3e6bd35c5d26fbe3906b4379b35d
SHA512233f72bf8cf5d72b7f7c09bf546220fa0c34511330349fa28ef4c746b19f59696b5e515a7d345862430979800be354ab954aa55f79747a83d601abdf32bd24fb
-
Filesize
38KB
MD572de2dadaf875e2fd7614e100419033c
SHA15f17c5330e91a42daa9ff24c4aa602bd1a72bf6e
SHA256c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381
SHA512e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3
-
Filesize
312KB
MD5d0250c92bd9e6c62c0c8227ea7bc0df4
SHA19a9fd691422b105c5e008764b980d1568c2df957
SHA256ee113e2ee5cd0d396af0e79c2390d059355d24e426886bbacda44d7f39a28007
SHA51299ab659dd56fabf0bd488f754cc7d1b166e1727b5a742d4262062946b5aa79577499fff55e434b6dbe05efa11e9ce2ce58cf68f30e29d9b5580e20de4e974200
-
Filesize
312KB
MD519b3d5d25b80624b2c4e6234f74da970
SHA199d171bede250f7ddcbd693b88985114ac344a63
SHA25634c29431419a80db69468293b5f697d14e46ea5ef6f32210b69b0242a35dedb8
SHA512c215bd57d29ea31214dcb8ef404951251bd6b3205984a29dee497960b100d3a35ed0ba739597c7527ae317fd3cd1f94c65fbbf1e80aa3ee4f3fa77ae9bd9f5a1
-
Filesize
29KB
MD51149c1bd71248a9d170e4568fb08df30
SHA16f77f183d65709901f476c5d6eebaed060a495f9
SHA256c2dcf387cb4d218f50463338291e7db38afbdab9aab88fc54e7f9283df1792d1
SHA5129e6eac8facb23b38552d37c9f3cb24098f871d2885ecb3630fcd0199c5600b12a42f095f9fbeb90e5632496491d46fd987660cdda695e92dc386bd482d3ff459
-
Filesize
2KB
MD53a7482ba479bf81871823c500396d7f4
SHA14bfe4b0745895cce782cc0a90a8cfe9ba1cc3ca0
SHA25693fd7ce6c6fc5480976b1053b6fe569c589ff5e32ed7731074b827a220b7877e
SHA5124841c45264b44e15a96a438fe6c6ab94b56fa59f67b09f75b2c74850af88df7f5b9b2071d490eb1da4132cfe190f2ab716d8d86e9f80e87d1663bc48213f7cf3