Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 17:30
Static task
static1
Behavioral task
behavioral1
Sample
f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe
-
Size
327KB
-
MD5
f04c346d3404ac8d43e5d0a53ddade9c
-
SHA1
fe67d3fa2e6f7cba1ddecbd602c85f6afeba3ea0
-
SHA256
687e462b8258737846dbd465a671aa54445a0d04b8806e7038bf115715d4b6c0
-
SHA512
85485992f4b956618496d771f0182ee4206176658d558c706536f07c629ba398eb08dc51e905bfbfae4dad8f644c5d586a82bae37ac6f3c508019b2ddf87fbc4
-
SSDEEP
6144:O5b5+cPq+OP1J1Dtcc+RBaCdgmCtj0qJifmgYHLgiJ8+KqICY6oHW9k1UJADkau:O15+cS+2b1pcfZU4fmgYH7J8+GtvzDu
Malware Config
Signatures
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options SMSS.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options LSASS.EXE -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x00300000000173e4-37.dat acprotect -
Executes dropped EXE 6 IoCs
pid Process 2576 LSASS.EXE 2928 SMSS.EXE 1044 SMSS.EXE 2144 SMSS.EXE 1804 SMSS.EXE 1284 SMSS.EXE -
Loads dropped DLL 16 IoCs
pid Process 2672 regsvr32.exe 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 2576 LSASS.EXE 2860 regsvr32.exe 1088 cmd.exe 1088 cmd.exe 1264 cmd.exe 1264 cmd.exe 2260 cmd.exe 2260 cmd.exe 2576 LSASS.EXE 2576 LSASS.EXE 1804 SMSS.EXE 296 cmd.exe 296 cmd.exe -
resource yara_rule behavioral1/memory/2576-41-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral1/files/0x00300000000173e4-37.dat upx behavioral1/memory/1804-64-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral1/memory/2576-70-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral1/memory/1804-73-0x0000000010000000-0x0000000010012000-memory.dmp upx -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService LSASS.EXE -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LSASS.EXE -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: LSASS.EXE File opened (read-only) \??\E: f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options LSASS.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options SMSS.EXE -
Drops autorun.inf file 1 TTPs 7 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\E:\AUTORUN.INF f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF LSASS.EXE File opened for modification D:\AUTORUN.INF LSASS.EXE File opened for modification \??\E:\AUTORUN.INF LSASS.EXE File created C:\AUTORUN.INF LSASS.EXE File opened for modification C:\AUTORUN.INF f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File opened for modification D:\AUTORUN.INF f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe -
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\com\LSASS.EXE f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File created C:\Windows\SysWOW64\com\netcfg.dll f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File created C:\Windows\SysWOW64\00302.log LSASS.EXE File opened for modification C:\Windows\SysWOW64\com\bak LSASS.EXE File created C:\Windows\SysWOW64\00302.log f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File created C:\Windows\SysWOW64\com\SMSS.EXE f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\com\netcfg.dll LSASS.EXE File created C:\Windows\SysWOW64\com\netcfg.000 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\com\netcfg.000 LSASS.EXE File opened for modification C:\Windows\SysWOW64\dnsq.dll LSASS.EXE File created C:\Windows\SysWOW64\dnsq.dll LSASS.EXE File opened for modification C:\Windows\SysWOW64\com\SMSS.EXE f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\com\netcfg.000 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\com\netcfg.dll f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File created C:\Windows\SysWOW64\com\LSASS.EXE f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\com\SMSS.EXE LSASS.EXE File opened for modification C:\Windows\SysWOW64\com\LSASS.EXE LSASS.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1968 ping.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main LSASS.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1\ = "131473" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1\ = "131473" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1968 ping.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 2576 LSASS.EXE -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 480 Process not Found 480 Process not Found -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe Token: SeDebugPrivilege 2576 LSASS.EXE Token: 33 2548 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2548 AUDIODG.EXE Token: 33 2548 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2548 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 2576 LSASS.EXE 2576 LSASS.EXE 2576 LSASS.EXE 2576 LSASS.EXE 2576 LSASS.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2660 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 30 PID 2224 wrote to memory of 2660 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 30 PID 2224 wrote to memory of 2660 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 30 PID 2224 wrote to memory of 2660 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 30 PID 2224 wrote to memory of 2700 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 31 PID 2224 wrote to memory of 2700 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 31 PID 2224 wrote to memory of 2700 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 31 PID 2224 wrote to memory of 2700 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 31 PID 2224 wrote to memory of 2792 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 34 PID 2224 wrote to memory of 2792 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 34 PID 2224 wrote to memory of 2792 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 34 PID 2224 wrote to memory of 2792 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 34 PID 2224 wrote to memory of 2672 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 36 PID 2224 wrote to memory of 2672 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 36 PID 2224 wrote to memory of 2672 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 36 PID 2224 wrote to memory of 2672 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 36 PID 2224 wrote to memory of 2672 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 36 PID 2224 wrote to memory of 2672 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 36 PID 2224 wrote to memory of 2672 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 36 PID 2224 wrote to memory of 2576 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 37 PID 2224 wrote to memory of 2576 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 37 PID 2224 wrote to memory of 2576 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 37 PID 2224 wrote to memory of 2576 2224 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 37 PID 2576 wrote to memory of 1760 2576 LSASS.EXE 38 PID 2576 wrote to memory of 1760 2576 LSASS.EXE 38 PID 2576 wrote to memory of 1760 2576 LSASS.EXE 38 PID 2576 wrote to memory of 1760 2576 LSASS.EXE 38 PID 2576 wrote to memory of 2556 2576 LSASS.EXE 39 PID 2576 wrote to memory of 2556 2576 LSASS.EXE 39 PID 2576 wrote to memory of 2556 2576 LSASS.EXE 39 PID 2576 wrote to memory of 2556 2576 LSASS.EXE 39 PID 2576 wrote to memory of 2564 2576 LSASS.EXE 40 PID 2576 wrote to memory of 2564 2576 LSASS.EXE 40 PID 2576 wrote to memory of 2564 2576 LSASS.EXE 40 PID 2576 wrote to memory of 2564 2576 LSASS.EXE 40 PID 2576 wrote to memory of 2572 2576 LSASS.EXE 41 PID 2576 wrote to memory of 2572 2576 LSASS.EXE 41 PID 2576 wrote to memory of 2572 2576 LSASS.EXE 41 PID 2576 wrote to memory of 2572 2576 LSASS.EXE 41 PID 2576 wrote to memory of 2584 2576 LSASS.EXE 42 PID 2576 wrote to memory of 2584 2576 LSASS.EXE 42 PID 2576 wrote to memory of 2584 2576 LSASS.EXE 42 PID 2576 wrote to memory of 2584 2576 LSASS.EXE 42 PID 2576 wrote to memory of 2616 2576 LSASS.EXE 43 PID 2576 wrote to memory of 2616 2576 LSASS.EXE 43 PID 2576 wrote to memory of 2616 2576 LSASS.EXE 43 PID 2576 wrote to memory of 2616 2576 LSASS.EXE 43 PID 2576 wrote to memory of 2108 2576 LSASS.EXE 44 PID 2576 wrote to memory of 2108 2576 LSASS.EXE 44 PID 2576 wrote to memory of 2108 2576 LSASS.EXE 44 PID 2576 wrote to memory of 2108 2576 LSASS.EXE 44 PID 2576 wrote to memory of 1800 2576 LSASS.EXE 52 PID 2576 wrote to memory of 1800 2576 LSASS.EXE 52 PID 2576 wrote to memory of 1800 2576 LSASS.EXE 52 PID 2576 wrote to memory of 1800 2576 LSASS.EXE 52 PID 2576 wrote to memory of 2872 2576 LSASS.EXE 54 PID 2576 wrote to memory of 2872 2576 LSASS.EXE 54 PID 2576 wrote to memory of 2872 2576 LSASS.EXE 54 PID 2576 wrote to memory of 2872 2576 LSASS.EXE 54 PID 2576 wrote to memory of 564 2576 LSASS.EXE 56 PID 2576 wrote to memory of 564 2576 LSASS.EXE 56 PID 2576 wrote to memory of 564 2576 LSASS.EXE 56 PID 2576 wrote to memory of 564 2576 LSASS.EXE 56 PID 2576 wrote to memory of 2736 2576 LSASS.EXE 58
Processes
-
C:\Users\Admin\AppData\Local\Temp\f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F2⤵
- System Location Discovery: System Language Discovery
PID:2660
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F2⤵
- System Location Discovery: System Language Discovery
PID:2700
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok2⤵
- System Location Discovery: System Language Discovery
PID:2792
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2672
-
-
C:\Windows\SysWOW64\com\LSASS.EXE"C:\Windows\system32\com\LSASS.EXE"2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Indicator Removal: Clear Persistence
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F3⤵
- System Location Discovery: System Language Discovery
PID:1760
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F3⤵
- System Location Discovery: System Language Discovery
PID:2556
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\LSASS.EXE /e /t /g Admin:F3⤵
- System Location Discovery: System Language Discovery
PID:2564
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\LSASS.EXE /e /t /g Everyone:F3⤵
- System Location Discovery: System Language Discovery
PID:2572
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Admin:F3⤵
- System Location Discovery: System Language Discovery
PID:2584
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Everyone:F3⤵
- System Location Discovery: System Language Discovery
PID:2616
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok3⤵
- System Location Discovery: System Language Discovery
PID:2108
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\SMSS.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:1800
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\LSASS.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:2872
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\netcfg.000"3⤵
- System Location Discovery: System Language Discovery
PID:564
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\netcfg.dll"3⤵
- System Location Discovery: System Language Discovery
PID:2736
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2860
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|C:\pagefile.pif"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Windows\SysWOW64\com\SMSS.EXEC:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|C:\pagefile.pif4⤵
- Executes dropped EXE
PID:2928
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|D:\pagefile.pif"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1264 -
C:\Windows\SysWOW64\com\SMSS.EXEC:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|D:\pagefile.pif4⤵
- Executes dropped EXE
PID:1044
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|E:\pagefile.pif"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Windows\SysWOW64\com\SMSS.EXEC:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|E:\pagefile.pif4⤵
- Executes dropped EXE
PID:2144
-
-
-
C:\Windows\SysWOW64\com\SMSS.EXEC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:1804
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"3⤵
- System Location Discovery: System Language Discovery
PID:1232
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\bak"3⤵
- System Location Discovery: System Language Discovery
PID:2236
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|D:\pagefile.pif"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:296 -
C:\Windows\SysWOW64\com\SMSS.EXEC:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|D:\pagefile.pif4⤵
- Executes dropped EXE
PID:1284
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\bak"3⤵
- System Location Discovery: System Language Discovery
PID:1620
-
-
C:\Windows\SysWOW64\ping.exeping.exe -f -n 1 www.baidu.com3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1968
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0xcc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2548
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Discovery
Peripheral Device Discovery
1Query Registry
1Remote System Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5a4089e292d473cc4bee6499633f75ac1
SHA1e3ba401db3ad5df31eb2df48d539f0ace8bbafe8
SHA256ac95862f70201a84124100958d2dced7d02100b2faef8a3e79fd739209552863
SHA51239381d7e9bf788b7ebe0e6a8311e517abc2b8253d0d51ef6d62b8c213ff87126e00d75bcae06898f36cfa33763bd4aae0839bfb1ac6f69de39cf58ccea33aebf
-
Filesize
44KB
MD5e63dcadc948e558dce82828078bd0661
SHA1517f75447adb13524d929251faa2fa79c93d8aad
SHA256511448c29fca76587f0e4a38ea2370726f5977e17850a904aedb1c58eecf0169
SHA5129a67916225fd484216746b4e9cefc3259cd154ad4fc33d2f8842ea8b141e3efbe4284ca740dde157d8df85244b3c35f54ac280a40f0d0f13144ba92667f59f9c
-
Filesize
327KB
MD5f04c346d3404ac8d43e5d0a53ddade9c
SHA1fe67d3fa2e6f7cba1ddecbd602c85f6afeba3ea0
SHA256687e462b8258737846dbd465a671aa54445a0d04b8806e7038bf115715d4b6c0
SHA51285485992f4b956618496d771f0182ee4206176658d558c706536f07c629ba398eb08dc51e905bfbfae4dad8f644c5d586a82bae37ac6f3c508019b2ddf87fbc4
-
Filesize
23KB
MD56461a28160d060b3dce284093e26101f
SHA107956df958f0eeed83a6972b5759aac3278d2126
SHA2563acd2810f366e2e80ef45d22443da09fea685ada794b42aeea680443b28ddda6
SHA512916572549dfe51169747ae0cb95b6facc01aef191d2a0fab98ecdeef43074541b3cba4a3b7639dcd03c3be310184436cd60bda4db03b53cdf6cf61b577e53b5a