Analysis
-
max time kernel
149s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2024 00:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral2
Sample
eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe
-
Size
484KB
-
MD5
eeb69150b3638eaccfcb813a73e1d96a
-
SHA1
ec679dd60d4bf98fded42e2bab1c332a35fc66ac
-
SHA256
1a9f1aca4450bc87896768a88e8df473a21a70fef8816152695cbe4971de5c86
-
SHA512
80401963eea507bd26cf65004c150e7640827fa726f69d1958d4b6f13dd7e499f106e4bfb464ec5cc2f85610db724dde4e9207b11509f99eb231f68d207fb94c
-
SSDEEP
12288:wP9GBWQch+L/ZgHP+v7xK0DmFwUfIp7JVyvWt1aBnSFAPHzeO:wPoBHch+uudKNffiv1aVSaPTeO
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" feuepe.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" V6oUpCF0mC.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation V6oUpCF0mC.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe -
Executes dropped EXE 10 IoCs
pid Process 4584 V6oUpCF0mC.exe 772 feuepe.exe 3932 ayhost.exe 5052 ayhost.exe 2200 byhost.exe 4312 byhost.exe 5108 cyhost.exe 1056 cyhost.exe 3788 cyhost.exe 2568 dyhost.exe -
resource yara_rule behavioral2/memory/2168-5-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/2168-4-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/2168-7-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/1056-86-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral2/memory/2168-88-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3788-166-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral2/memory/5108-167-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral2/memory/5108-286-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral2/memory/2168-290-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/5108-292-0x0000000000400000-0x0000000000448000-memory.dmp upx -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /z" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /S" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /r" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /t" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /d" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /G" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /c" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /T" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /D" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /q" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /a" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /B" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /v" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /h" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /Q" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /H" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /J" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /E" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /f" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /u" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /n" V6oUpCF0mC.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /x" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /P" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /i" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /y" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /O" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /b" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /Y" feuepe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Program Files (x86)\\Internet Explorer\\lvvm.exe" cyhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /N" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /p" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /A" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /F" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /w" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /Z" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /U" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /I" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /k" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /n" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /X" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /e" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /C" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /l" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /j" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /M" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /m" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /L" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /W" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /K" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /R" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /V" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /o" feuepe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuepe = "C:\\Users\\Admin\\feuepe.exe /s" feuepe.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 3416 tasklist.exe 4936 tasklist.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1852 set thread context of 2168 1852 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 82 PID 3932 set thread context of 5052 3932 ayhost.exe 93 PID 2200 set thread context of 4312 2200 byhost.exe 96 PID 4312 set thread context of 4316 4312 byhost.exe 97 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\lvvm.exe cyhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language feuepe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cyhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ayhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language byhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dyhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language V6oUpCF0mC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language byhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4584 V6oUpCF0mC.exe 4584 V6oUpCF0mC.exe 4584 V6oUpCF0mC.exe 4584 V6oUpCF0mC.exe 5052 ayhost.exe 5052 ayhost.exe 772 feuepe.exe 772 feuepe.exe 772 feuepe.exe 772 feuepe.exe 772 feuepe.exe 772 feuepe.exe 5052 ayhost.exe 5052 ayhost.exe 772 feuepe.exe 772 feuepe.exe 772 feuepe.exe 772 feuepe.exe 772 feuepe.exe 772 feuepe.exe 772 feuepe.exe 772 feuepe.exe 5052 ayhost.exe 5052 ayhost.exe 5052 ayhost.exe 772 feuepe.exe 772 feuepe.exe 5052 ayhost.exe 5052 ayhost.exe 5052 ayhost.exe 772 feuepe.exe 772 feuepe.exe 772 feuepe.exe 772 feuepe.exe 5052 ayhost.exe 772 feuepe.exe 5052 ayhost.exe 772 feuepe.exe 5052 ayhost.exe 5052 ayhost.exe 772 feuepe.exe 772 feuepe.exe 5052 ayhost.exe 5052 ayhost.exe 772 feuepe.exe 772 feuepe.exe 772 feuepe.exe 772 feuepe.exe 5052 ayhost.exe 5052 ayhost.exe 772 feuepe.exe 772 feuepe.exe 5052 ayhost.exe 5052 ayhost.exe 772 feuepe.exe 772 feuepe.exe 5052 ayhost.exe 5052 ayhost.exe 5052 ayhost.exe 5052 ayhost.exe 5052 ayhost.exe 5052 ayhost.exe 772 feuepe.exe 772 feuepe.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4936 tasklist.exe Token: SeDebugPrivilege 3416 tasklist.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1852 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 2168 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 4584 V6oUpCF0mC.exe 772 feuepe.exe 3932 ayhost.exe 2200 byhost.exe 2568 dyhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1852 wrote to memory of 2168 1852 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 82 PID 1852 wrote to memory of 2168 1852 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 82 PID 1852 wrote to memory of 2168 1852 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 82 PID 1852 wrote to memory of 2168 1852 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 82 PID 1852 wrote to memory of 2168 1852 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 82 PID 1852 wrote to memory of 2168 1852 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 82 PID 1852 wrote to memory of 2168 1852 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 82 PID 1852 wrote to memory of 2168 1852 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 82 PID 2168 wrote to memory of 4584 2168 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 83 PID 2168 wrote to memory of 4584 2168 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 83 PID 2168 wrote to memory of 4584 2168 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 83 PID 4584 wrote to memory of 772 4584 V6oUpCF0mC.exe 88 PID 4584 wrote to memory of 772 4584 V6oUpCF0mC.exe 88 PID 4584 wrote to memory of 772 4584 V6oUpCF0mC.exe 88 PID 4584 wrote to memory of 1224 4584 V6oUpCF0mC.exe 89 PID 4584 wrote to memory of 1224 4584 V6oUpCF0mC.exe 89 PID 4584 wrote to memory of 1224 4584 V6oUpCF0mC.exe 89 PID 1224 wrote to memory of 4936 1224 cmd.exe 91 PID 1224 wrote to memory of 4936 1224 cmd.exe 91 PID 1224 wrote to memory of 4936 1224 cmd.exe 91 PID 2168 wrote to memory of 3932 2168 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 92 PID 2168 wrote to memory of 3932 2168 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 92 PID 2168 wrote to memory of 3932 2168 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 92 PID 3932 wrote to memory of 5052 3932 ayhost.exe 93 PID 3932 wrote to memory of 5052 3932 ayhost.exe 93 PID 3932 wrote to memory of 5052 3932 ayhost.exe 93 PID 3932 wrote to memory of 5052 3932 ayhost.exe 93 PID 3932 wrote to memory of 5052 3932 ayhost.exe 93 PID 3932 wrote to memory of 5052 3932 ayhost.exe 93 PID 3932 wrote to memory of 5052 3932 ayhost.exe 93 PID 3932 wrote to memory of 5052 3932 ayhost.exe 93 PID 3932 wrote to memory of 5052 3932 ayhost.exe 93 PID 3932 wrote to memory of 5052 3932 ayhost.exe 93 PID 2168 wrote to memory of 2200 2168 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 95 PID 2168 wrote to memory of 2200 2168 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 95 PID 2168 wrote to memory of 2200 2168 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 95 PID 2200 wrote to memory of 4312 2200 byhost.exe 96 PID 2200 wrote to memory of 4312 2200 byhost.exe 96 PID 2200 wrote to memory of 4312 2200 byhost.exe 96 PID 2200 wrote to memory of 4312 2200 byhost.exe 96 PID 2200 wrote to memory of 4312 2200 byhost.exe 96 PID 2200 wrote to memory of 4312 2200 byhost.exe 96 PID 2200 wrote to memory of 4312 2200 byhost.exe 96 PID 2200 wrote to memory of 4312 2200 byhost.exe 96 PID 2200 wrote to memory of 4312 2200 byhost.exe 96 PID 4312 wrote to memory of 4316 4312 byhost.exe 97 PID 4312 wrote to memory of 4316 4312 byhost.exe 97 PID 4312 wrote to memory of 4316 4312 byhost.exe 97 PID 2168 wrote to memory of 5108 2168 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 101 PID 2168 wrote to memory of 5108 2168 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 101 PID 2168 wrote to memory of 5108 2168 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 101 PID 5108 wrote to memory of 1056 5108 cyhost.exe 102 PID 5108 wrote to memory of 1056 5108 cyhost.exe 102 PID 5108 wrote to memory of 1056 5108 cyhost.exe 102 PID 5108 wrote to memory of 3788 5108 cyhost.exe 105 PID 5108 wrote to memory of 3788 5108 cyhost.exe 105 PID 5108 wrote to memory of 3788 5108 cyhost.exe 105 PID 2168 wrote to memory of 2568 2168 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 108 PID 2168 wrote to memory of 2568 2168 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 108 PID 2168 wrote to memory of 2568 2168 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 108 PID 2168 wrote to memory of 2604 2168 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 109 PID 2168 wrote to memory of 2604 2168 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 109 PID 2168 wrote to memory of 2604 2168 eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe 109 PID 2604 wrote to memory of 3416 2604 cmd.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\V6oUpCF0mC.exeC:\Users\Admin\V6oUpCF0mC.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Users\Admin\feuepe.exe"C:\Users\Admin\feuepe.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:772
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del V6oUpCF0mC.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
-
-
-
C:\Users\Admin\ayhost.exeC:\Users\Admin\ayhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Users\Admin\ayhost.exe"C:\Users\Admin\ayhost.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5052
-
-
-
C:\Users\Admin\byhost.exeC:\Users\Admin\byhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\byhost.exe"C:\Users\Admin\byhost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\explorer.exe000000D0*5⤵PID:4316
-
-
-
-
C:\Users\Admin\cyhost.exeC:\Users\Admin\cyhost.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Users\Admin\cyhost.exeC:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Roaming\conhost.exe%C:\Users\Admin\AppData\Roaming4⤵
- Executes dropped EXE
PID:1056
-
-
C:\Users\Admin\cyhost.exeC:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp4⤵
- Executes dropped EXE
PID:3788
-
-
-
C:\Users\Admin\dyhost.exeC:\Users\Admin\dyhost.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2568
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD536df5379ad92684921bd3f7cc67c2437
SHA1615a31a946dfcf9f764dd0cd6abd6caa0617fac8
SHA256793145136bbdf348bc0e0dba3b3a53abeae9ce519afa4663a8f57c8e537acddd
SHA51253c341b683b5d2469af54a11c7bb0d4df3ec478b0ac9ebf25c39f596874d633828bb72c9ef65d8a6716192540c23dec951c5bf7d2650349b6d76d4fcc680a262
-
Filesize
1KB
MD57812287fb032b7e8d66d32c99cb6eaa8
SHA19027b7e4167c38cbe1820a7f8b3ff07e18186cb6
SHA256949662d467dfc1c1cb7565bb81a06191d9b6a472a489a68e9bf2638505ec445e
SHA512ceba81a64a3dc6b9c2f4a5a033253c75a244a38764ccc3351dca4fdf1cd11d2b89e7f5e7947df183f0269834d3c5b3d319bfd64becab76c38e5b174b66afb592
-
Filesize
600B
MD5fa43e2dd19a2230db5240868cd06c253
SHA1b01044fdfc0b6cd999e605e997e93024df7cc1c5
SHA256560b5b5b013a462d71e0f94e42eb469fc2e520eb27ed7fb07b7620b494d8eca9
SHA512bf0e2b56695a913bf2dbf02ecb5aa7b807571f6c7fbefff8c1d45eb24e866a06effa1463708b258113f6ade2c7cdd32cb72b53269f462ddc2828ff8401f0c84a
-
Filesize
332KB
MD5b96dc0230580570446ab648e20a7e3b3
SHA127483df87ef7093d51062fb2d2fc9944f94c23fb
SHA2562c65220c1c3ec6cb3282759e1d583b598ad43bf09484239325ae06b961bf0af0
SHA512b8dd8743eb45f9dcc0d74b5cf450ef2950482e5c33dcdb5ab9494ad2e396d7ea5ebd80d477fca52a25a46cede6e2c31eb2647612090fda72d7e61e49913c042f
-
Filesize
68KB
MD52c7c2d4e9c03a1818621def0e1281a81
SHA1c92b29a7f6e9998c7a86b9b57cff15f28647a127
SHA2569fb6cf502b6a872ed2e58666672db9fdc0eb57e6ff5a5677b6dbc8de42193f3e
SHA512431cadf9b1d4de1dd0c5efebd5bae2af2ac0f6c98a2d71a5f7bc72e2421ecf77d67616d805bb643680192de6c8921e894a48a538276492567524c4267a4e4a66
-
Filesize
136KB
MD51d0f81b6e185ec95e716d2a0b2ba69a1
SHA109399ffa69ae8bfd9794104bc4b7b4f481980e3a
SHA256abe89315434ce50001a90c9bdd662a0c42fa90d95acdf5baed5823d760e4f878
SHA5126c4ecc1346bfc9952d7a1a2cb30ed5076bec24db099bb3fe20a248b19f56c075ff592d03100a1a3660ad5f47dfaff6a64b6b2bebe1bcbc7ce747f968a4c7e6b1
-
Filesize
168KB
MD5234bf3937f8fe09351acc53c059b40d2
SHA1256f162b65eacc7a1fee35722fbfdbd55bba93c7
SHA25686c568452305c3943eb7d1530cef65c75f6fac39d178082783db8b12fc8eef2b
SHA5126c768729abebd0b9bde9712ee827262c433ac928bb638b9176ef7f4085c2d2b4fdfa3cacffdb7da477d23a1e0ce32e63cba2ab9ace1f45dfcc8109b2c68812b7
-
Filesize
24KB
MD59814ec05c8857737f599ba75b1610fb1
SHA1aa9d9b016c2feda03cf6ad1bbca332070eb9b295
SHA256a68f44fa166ade605dfd2e5827a8ca3fa21141eda423c096d1f41d9bf172e597
SHA512c9daf5d8015ab4d5e0c333b986e04a917a596aef6d61baf43f53e5da346e3e665cd16eb5da35726713689dca991a03fbfa137b7f3f879c77779a477a89a0268d
-
Filesize
332KB
MD52ad763e211ea9346391c1214f65dcc4d
SHA1ad8033e63cd8b6ac32f2164b7de01bc6cdf57944
SHA25665be08606023c299a93662039b45b487a4870abf7772ee5ba2589d7631c0b4fd
SHA51205c89c62189f12f9f1b7b8bee4b07d2e48a4f69cd98cb647187f1de7d9d2032ff7a40aad696206bf0a7350d16ae04ad42a3590da5421d0244cab63760d28f88f