Analysis
-
max time kernel
97s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 01:36 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe
Resource
win7-20240903-en
6 signatures
150 seconds
General
-
Target
eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe
-
Size
132KB
-
MD5
eed37cf09b9398aabcea83bb3f233d13
-
SHA1
c3267753b2ddc763153bea9beddd009402ccf3c6
-
SHA256
9879b1e44c666011159838b2f07443af399d950842afef9e27668bfff5817546
-
SHA512
6b5ea3cf3464336d0bfc30d219dd8fc34ac51f666a0815a70f6d3c65f04018bb1fc0efa17276f114bb3994327025b7f855006b466cf4e431fd37dd86ff11c96e
-
SSDEEP
3072:AXMH+xXy+URljrFQCKkJm+kS0w+xhMGE8gZMp9gx:ApX+FQCKkJaNZbpI
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe:*:enabled:@shell32.dll,-1" eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
pid Process 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4280 wrote to memory of 612 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 5 PID 4280 wrote to memory of 612 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 5 PID 4280 wrote to memory of 612 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 5 PID 4280 wrote to memory of 612 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 5 PID 4280 wrote to memory of 612 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 5 PID 4280 wrote to memory of 612 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 5 PID 4280 wrote to memory of 668 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 7 PID 4280 wrote to memory of 668 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 7 PID 4280 wrote to memory of 668 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 7 PID 4280 wrote to memory of 668 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 7 PID 4280 wrote to memory of 668 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 7 PID 4280 wrote to memory of 668 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 7 PID 4280 wrote to memory of 768 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 8 PID 4280 wrote to memory of 768 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 8 PID 4280 wrote to memory of 768 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 8 PID 4280 wrote to memory of 768 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 8 PID 4280 wrote to memory of 768 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 8 PID 4280 wrote to memory of 768 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 8 PID 4280 wrote to memory of 772 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 9 PID 4280 wrote to memory of 772 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 9 PID 4280 wrote to memory of 772 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 9 PID 4280 wrote to memory of 772 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 9 PID 4280 wrote to memory of 772 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 9 PID 4280 wrote to memory of 772 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 9 PID 4280 wrote to memory of 784 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 10 PID 4280 wrote to memory of 784 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 10 PID 4280 wrote to memory of 784 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 10 PID 4280 wrote to memory of 784 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 10 PID 4280 wrote to memory of 784 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 10 PID 4280 wrote to memory of 784 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 10 PID 4280 wrote to memory of 892 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 11 PID 4280 wrote to memory of 892 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 11 PID 4280 wrote to memory of 892 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 11 PID 4280 wrote to memory of 892 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 11 PID 4280 wrote to memory of 892 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 11 PID 4280 wrote to memory of 892 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 11 PID 4280 wrote to memory of 940 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 12 PID 4280 wrote to memory of 940 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 12 PID 4280 wrote to memory of 940 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 12 PID 4280 wrote to memory of 940 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 12 PID 4280 wrote to memory of 940 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 12 PID 4280 wrote to memory of 940 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 12 PID 4280 wrote to memory of 1012 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 13 PID 4280 wrote to memory of 1012 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 13 PID 4280 wrote to memory of 1012 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 13 PID 4280 wrote to memory of 1012 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 13 PID 4280 wrote to memory of 1012 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 13 PID 4280 wrote to memory of 1012 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 13 PID 4280 wrote to memory of 412 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 14 PID 4280 wrote to memory of 412 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 14 PID 4280 wrote to memory of 412 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 14 PID 4280 wrote to memory of 412 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 14 PID 4280 wrote to memory of 412 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 14 PID 4280 wrote to memory of 412 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 14 PID 4280 wrote to memory of 908 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 15 PID 4280 wrote to memory of 908 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 15 PID 4280 wrote to memory of 908 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 15 PID 4280 wrote to memory of 908 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 15 PID 4280 wrote to memory of 908 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 15 PID 4280 wrote to memory of 908 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 15 PID 4280 wrote to memory of 1060 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 16 PID 4280 wrote to memory of 1060 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 16 PID 4280 wrote to memory of 1060 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 16 PID 4280 wrote to memory of 1060 4280 eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe 16
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:768
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1012
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:668
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:784
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵PID:3156
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3864
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵PID:3960
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4024
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵PID:1036
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3544
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:440
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵PID:1468
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3576
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵PID:4848
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:892
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:908
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1060
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1064
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1236
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2868
-
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe2⤵PID:3300
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1348
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1512
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1572
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2700
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1648
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1700
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1748
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1804
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2008
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1736
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2228
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2260
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2720
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2844
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2856
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2960
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eed37cf09b9398aabcea83bb3f233d13_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3516
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3684
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:2912
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:1932
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4748
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:2180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:4432
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestilo.brenz.plIN AResponse
-
Remote address:8.8.8.8:53Requestant.trenz.plIN AResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request48.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request48.229.111.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request48.229.111.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request48.229.111.52.in-addr.arpaIN PTR
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
58 B 58 B 1 1
DNS Request
ilo.brenz.pl
-
58 B 58 B 1 1
DNS Request
ant.trenz.pl
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
73.159.190.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
288 B 158 B 4 1
DNS Request
48.229.111.52.in-addr.arpa
DNS Request
48.229.111.52.in-addr.arpa
DNS Request
48.229.111.52.in-addr.arpa
DNS Request
48.229.111.52.in-addr.arpa