Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 00:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral2
Sample
eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe
-
Size
524KB
-
MD5
eebb4813600a92e8c2ce7b55a90ad885
-
SHA1
8f3ae9a52cd9ca728205b029d5f2c4cd7a7fd99d
-
SHA256
b5277d03212e490e2cdc4d76fb285488f7aaec2e77c3eb6fcda5ad2b04085f91
-
SHA512
fe5a7a117632ef7ef5dec5046963d49944b8effa3752c397107dce818477a5ade8a18a930e89d4c3cd46825143e18c65e74a748e265ab0697945670da2aacb7b
-
SSDEEP
12288:eSFMFpuhRp8tmnkX4C4IosE/rSkU19Zt/kMM22:pF+u+gkX3o1jSkErM2
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\d2f57668\\X" Explorer.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" JB3O2vP3.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" juiofu.exe -
Deletes itself 1 IoCs
pid Process 572 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 372 JB3O2vP3.exe 2808 juiofu.exe 2484 2sun.exe 2464 2sun.exe 612 2sun.exe 2608 2sun.exe 1920 2sun.exe 980 2sun.exe 2232 3sun.exe 1668 X 332 csrss.exe -
Loads dropped DLL 10 IoCs
pid Process 2284 eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe 2284 eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe 372 JB3O2vP3.exe 372 JB3O2vP3.exe 2284 eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe 2284 eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe 2284 eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe 2284 eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe 2232 3sun.exe 2232 3sun.exe -
resource yara_rule behavioral1/memory/2464-43-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2464-41-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2464-57-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2464-56-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1920-85-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1920-84-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2608-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2608-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2608-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/612-71-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2464-70-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/612-68-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/612-65-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2608-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1920-88-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2608-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1920-82-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1920-78-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1920-76-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/612-55-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/612-52-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/612-50-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2464-46-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2464-103-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2608-139-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 -
Adds Run key to start application 2 TTPs 50 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /f" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /A" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /v" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /m" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /x" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /X" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /y" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /V" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /h" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /b" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /w" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /c" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /Q" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /W" JB3O2vP3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /U" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /u" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /K" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /M" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /S" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /o" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /W" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /n" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /E" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /k" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /P" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /L" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /g" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /a" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /e" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /J" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /O" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /T" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /z" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /F" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /B" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /d" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /q" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /j" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /l" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /p" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /Y" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /C" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /r" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /s" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /H" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /G" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /i" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /Z" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /D" juiofu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\juiofu = "C:\\Users\\Admin\\juiofu.exe /I" juiofu.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2sun.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2sun.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2752 tasklist.exe 3068 tasklist.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 2484 set thread context of 2464 2484 2sun.exe 37 PID 2484 set thread context of 612 2484 2sun.exe 38 PID 2484 set thread context of 2608 2484 2sun.exe 39 PID 2484 set thread context of 1920 2484 2sun.exe 40 PID 2484 set thread context of 980 2484 2sun.exe 41 PID 2232 set thread context of 1744 2232 3sun.exe 45 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2sun.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3sun.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JB3O2vP3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language juiofu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2sun.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2sun.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe -
Modifies registry class 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c083cd7f-4678-8cf0-12c0-a23b769d6830}\u = "188" 3sun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c083cd7f-4678-8cf0-12c0-a23b769d6830}\cid = "5500706786713899090" 3sun.exe Key created \registry\machine\Software\Classes\Interface\{c083cd7f-4678-8cf0-12c0-a23b769d6830} 3sun.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 372 JB3O2vP3.exe 372 JB3O2vP3.exe 612 2sun.exe 2608 2sun.exe 2808 juiofu.exe 2808 juiofu.exe 2808 juiofu.exe 2608 2sun.exe 612 2sun.exe 2808 juiofu.exe 2808 juiofu.exe 2808 juiofu.exe 2232 3sun.exe 2232 3sun.exe 2232 3sun.exe 2232 3sun.exe 1668 X 612 2sun.exe 2808 juiofu.exe 612 2sun.exe 612 2sun.exe 2808 juiofu.exe 2808 juiofu.exe 2808 juiofu.exe 612 2sun.exe 2808 juiofu.exe 612 2sun.exe 2808 juiofu.exe 612 2sun.exe 2808 juiofu.exe 2808 juiofu.exe 612 2sun.exe 2808 juiofu.exe 612 2sun.exe 612 2sun.exe 2808 juiofu.exe 612 2sun.exe 612 2sun.exe 2808 juiofu.exe 2808 juiofu.exe 612 2sun.exe 612 2sun.exe 2808 juiofu.exe 612 2sun.exe 2808 juiofu.exe 2808 juiofu.exe 612 2sun.exe 612 2sun.exe 612 2sun.exe 2808 juiofu.exe 612 2sun.exe 2808 juiofu.exe 612 2sun.exe 2808 juiofu.exe 2808 juiofu.exe 612 2sun.exe 612 2sun.exe 612 2sun.exe 2808 juiofu.exe 612 2sun.exe 612 2sun.exe 2808 juiofu.exe 612 2sun.exe 2808 juiofu.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2752 tasklist.exe Token: SeDebugPrivilege 2232 3sun.exe Token: SeDebugPrivilege 2232 3sun.exe Token: SeDebugPrivilege 3068 tasklist.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2284 eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe 372 JB3O2vP3.exe 2808 juiofu.exe 2484 2sun.exe 2464 2sun.exe 1920 2sun.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 332 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2284 wrote to memory of 372 2284 eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe 30 PID 2284 wrote to memory of 372 2284 eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe 30 PID 2284 wrote to memory of 372 2284 eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe 30 PID 2284 wrote to memory of 372 2284 eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe 30 PID 372 wrote to memory of 2808 372 JB3O2vP3.exe 31 PID 372 wrote to memory of 2808 372 JB3O2vP3.exe 31 PID 372 wrote to memory of 2808 372 JB3O2vP3.exe 31 PID 372 wrote to memory of 2808 372 JB3O2vP3.exe 31 PID 372 wrote to memory of 2712 372 JB3O2vP3.exe 32 PID 372 wrote to memory of 2712 372 JB3O2vP3.exe 32 PID 372 wrote to memory of 2712 372 JB3O2vP3.exe 32 PID 372 wrote to memory of 2712 372 JB3O2vP3.exe 32 PID 2712 wrote to memory of 2752 2712 cmd.exe 34 PID 2712 wrote to memory of 2752 2712 cmd.exe 34 PID 2712 wrote to memory of 2752 2712 cmd.exe 34 PID 2712 wrote to memory of 2752 2712 cmd.exe 34 PID 2284 wrote to memory of 2484 2284 eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe 36 PID 2284 wrote to memory of 2484 2284 eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe 36 PID 2284 wrote to memory of 2484 2284 eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe 36 PID 2284 wrote to memory of 2484 2284 eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe 36 PID 2484 wrote to memory of 2464 2484 2sun.exe 37 PID 2484 wrote to memory of 2464 2484 2sun.exe 37 PID 2484 wrote to memory of 2464 2484 2sun.exe 37 PID 2484 wrote to memory of 2464 2484 2sun.exe 37 PID 2484 wrote to memory of 2464 2484 2sun.exe 37 PID 2484 wrote to memory of 2464 2484 2sun.exe 37 PID 2484 wrote to memory of 2464 2484 2sun.exe 37 PID 2484 wrote to memory of 2464 2484 2sun.exe 37 PID 2484 wrote to memory of 612 2484 2sun.exe 38 PID 2484 wrote to memory of 612 2484 2sun.exe 38 PID 2484 wrote to memory of 612 2484 2sun.exe 38 PID 2484 wrote to memory of 612 2484 2sun.exe 38 PID 2484 wrote to memory of 612 2484 2sun.exe 38 PID 2484 wrote to memory of 612 2484 2sun.exe 38 PID 2484 wrote to memory of 612 2484 2sun.exe 38 PID 2484 wrote to memory of 612 2484 2sun.exe 38 PID 2484 wrote to memory of 2608 2484 2sun.exe 39 PID 2484 wrote to memory of 2608 2484 2sun.exe 39 PID 2484 wrote to memory of 2608 2484 2sun.exe 39 PID 2484 wrote to memory of 2608 2484 2sun.exe 39 PID 2484 wrote to memory of 2608 2484 2sun.exe 39 PID 2484 wrote to memory of 2608 2484 2sun.exe 39 PID 2484 wrote to memory of 2608 2484 2sun.exe 39 PID 2484 wrote to memory of 2608 2484 2sun.exe 39 PID 2484 wrote to memory of 1920 2484 2sun.exe 40 PID 2484 wrote to memory of 1920 2484 2sun.exe 40 PID 2484 wrote to memory of 1920 2484 2sun.exe 40 PID 2484 wrote to memory of 1920 2484 2sun.exe 40 PID 2484 wrote to memory of 1920 2484 2sun.exe 40 PID 2484 wrote to memory of 1920 2484 2sun.exe 40 PID 2484 wrote to memory of 1920 2484 2sun.exe 40 PID 2484 wrote to memory of 1920 2484 2sun.exe 40 PID 2484 wrote to memory of 980 2484 2sun.exe 41 PID 2484 wrote to memory of 980 2484 2sun.exe 41 PID 2484 wrote to memory of 980 2484 2sun.exe 41 PID 2484 wrote to memory of 980 2484 2sun.exe 41 PID 2484 wrote to memory of 980 2484 2sun.exe 41 PID 2284 wrote to memory of 2232 2284 eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe 42 PID 2284 wrote to memory of 2232 2284 eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe 42 PID 2284 wrote to memory of 2232 2284 eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe 42 PID 2284 wrote to memory of 2232 2284 eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe 42 PID 2232 wrote to memory of 1192 2232 3sun.exe 21 PID 2232 wrote to memory of 332 2232 3sun.exe 2 PID 2232 wrote to memory of 1668 2232 3sun.exe 44
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:332
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies WinLogon for persistence
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\JB3O2vP3.exeC:\Users\Admin\JB3O2vP3.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\juiofu.exe"C:\Users\Admin\juiofu.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2808
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del JB3O2vP3.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
-
-
C:\Users\Admin\2sun.exeC:\Users\Admin\2sun.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\2sun.exe"C:\Users\Admin\2sun.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2464
-
-
C:\Users\Admin\2sun.exe"C:\Users\Admin\2sun.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:612
-
-
C:\Users\Admin\2sun.exe"C:\Users\Admin\2sun.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2608
-
-
C:\Users\Admin\2sun.exe"C:\Users\Admin\2sun.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1920
-
-
C:\Users\Admin\2sun.exe"C:\Users\Admin\2sun.exe"4⤵
- Executes dropped EXE
PID:980
-
-
-
C:\Users\Admin\3sun.exeC:\Users\Admin\3sun.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\d2f57668\X*0*bc*b3a99052*31.193.3.240:534⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1668
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1744
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del eebb4813600a92e8c2ce7b55a90ad885_JaffaCakes118.exe3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:572 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD5290d691efc05b13247d2f6d8952a215b
SHA1a885524eae321c2d025dd8e2fe4c8dd76dfb0ca0
SHA25643b951fb64328c15a0592d228e90f05be14b4f18a902c35b5c0451020e1d82be
SHA5128dfdcdd93b47db1b490a80fd1c483e5f10d18d782f34562bf7313039040c69878fb1d6ad22f1b3d6e48dcc8db507c430f11b1a976b48f9cd1769400fba4c150e
-
Filesize
29KB
MD51149c1bd71248a9d170e4568fb08df30
SHA16f77f183d65709901f476c5d6eebaed060a495f9
SHA256c2dcf387cb4d218f50463338291e7db38afbdab9aab88fc54e7f9283df1792d1
SHA5129e6eac8facb23b38552d37c9f3cb24098f871d2885ecb3630fcd0199c5600b12a42f095f9fbeb90e5632496491d46fd987660cdda695e92dc386bd482d3ff459
-
Filesize
128KB
MD5cba16c1a489b02c4ff5720c68f35f787
SHA1bd3d817f02e1492d246c067a6ddf3e0ec33d86c3
SHA2560235b18287b0a3833cb877713019c2679a7699b2c848b16bfdf50244f8556e80
SHA51200740a1e2bd2bba0f4f2486914fe1c885064d5dc6389561697e357a354e8cdc6707f4bd542c02179020ef69c6d9f1d3503eaf0111bb9c1eba1a64a194cb9c345
-
Filesize
278KB
MD5345cbbd3a56a313f804b997f8cbecb2b
SHA19978d6f5bca8ab1486573ff073661e7cfd40c365
SHA256492c8cf86fcfa07fcf5716b17593a9ec265c5aa919c2fe563a34ece1580b055c
SHA5125cdb8b00ab0d653a34b3d1b2871ebeb0badfe223779dce775adf00d577a2931f77c1e6d92cda719e32a8683f6f729179f128472efdf6ec0ac18cbdbcfbbc237d
-
Filesize
38KB
MD572de2dadaf875e2fd7614e100419033c
SHA15f17c5330e91a42daa9ff24c4aa602bd1a72bf6e
SHA256c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381
SHA512e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3
-
Filesize
228KB
MD5c5f7f2c62bd8e57d513aa4792ef168b0
SHA18a93ee69809d1794bd1d38177ce6cd9eeb78fd49
SHA2566fd70cecc751f9ee03c1a51aa194081fedb737b8e43937f29f4e5c496baa0bb0
SHA5128864474f7a3abc0b4a01cc41ac00e76bfd778c935bba1f924c4cb8fc2f40ef74b793c1ea2eefb2bd011395ed9a4100d23c831f099489a8769b02d78cf5157380
-
Filesize
2KB
MD5a6fb3c7ae7e2fdf8000eee97bb2d2411
SHA140bf52c55bc655e48a2337cf642bbac28e3cec8d
SHA25610b1e83c2a5b056eff6aa1163711f7ad440c453d91d0c6f446121b257d43f647
SHA5126cb494b437d561f24f9c8d84b72f8ce882f5f5418bd086c0a6dbf758d002788f4f227c7e7903e108008200be2edb6c4f6b1c508076d8d0bbb2cef21922cff868