Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 17:30
Static task
static1
Behavioral task
behavioral1
Sample
f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe
-
Size
327KB
-
MD5
f04c346d3404ac8d43e5d0a53ddade9c
-
SHA1
fe67d3fa2e6f7cba1ddecbd602c85f6afeba3ea0
-
SHA256
687e462b8258737846dbd465a671aa54445a0d04b8806e7038bf115715d4b6c0
-
SHA512
85485992f4b956618496d771f0182ee4206176658d558c706536f07c629ba398eb08dc51e905bfbfae4dad8f644c5d586a82bae37ac6f3c508019b2ddf87fbc4
-
SSDEEP
6144:O5b5+cPq+OP1J1Dtcc+RBaCdgmCtj0qJifmgYHLgiJ8+KqICY6oHW9k1UJADkau:O15+cS+2b1pcfZU4fmgYH7J8+GtvzDu
Malware Config
Signatures
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 1 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options LSASS.EXE -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000800000002344b-34.dat acprotect -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation LSASS.EXE -
Executes dropped EXE 6 IoCs
pid Process 3180 LSASS.EXE 4828 SMSS.EXE 1580 SMSS.EXE 1020 SMSS.EXE 1280 SMSS.EXE 1768 SMSS.EXE -
Loads dropped DLL 3 IoCs
pid Process 1480 regsvr32.exe 3180 LSASS.EXE 876 regsvr32.exe -
resource yara_rule behavioral2/memory/3180-37-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral2/files/0x000800000002344b-34.dat upx behavioral2/memory/3180-58-0x0000000010000000-0x0000000010012000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService LSASS.EXE -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LSASS.EXE -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File opened (read-only) \??\E: LSASS.EXE -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options LSASS.EXE -
Drops autorun.inf file 1 TTPs 7 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification D:\AUTORUN.INF f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File opened for modification \??\E:\AUTORUN.INF f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF LSASS.EXE File opened for modification D:\AUTORUN.INF LSASS.EXE File opened for modification \??\E:\AUTORUN.INF LSASS.EXE File created C:\AUTORUN.INF LSASS.EXE File opened for modification C:\AUTORUN.INF f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe -
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\com\SMSS.EXE f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\com\LSASS.EXE f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File created C:\Windows\SysWOW64\com\netcfg.000 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File created C:\Windows\SysWOW64\com\netcfg.dll f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\com\LSASS.EXE LSASS.EXE File opened for modification C:\Windows\SysWOW64\dnsq.dll LSASS.EXE File opened for modification C:\Windows\SysWOW64\com\bak LSASS.EXE File created C:\Windows\SysWOW64\00302.log LSASS.EXE File opened for modification C:\Windows\SysWOW64\com\SMSS.EXE LSASS.EXE File created C:\Windows\SysWOW64\com\SMSS.EXE f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\com\netcfg.000 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\com\netcfg.dll f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File created C:\Windows\SysWOW64\00302.log f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File created C:\Windows\SysWOW64\com\LSASS.EXE f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\com\netcfg.000 LSASS.EXE File opened for modification C:\Windows\SysWOW64\com\netcfg.dll LSASS.EXE File created C:\Windows\SysWOW64\dnsq.dll LSASS.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2168 ping.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1\ = "131473" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\ regsvr32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2168 ping.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 3180 LSASS.EXE 3180 LSASS.EXE -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe Token: SeDebugPrivilege 3180 LSASS.EXE -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 3180 LSASS.EXE 3180 LSASS.EXE 3180 LSASS.EXE 3180 LSASS.EXE 3180 LSASS.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4856 wrote to memory of 3320 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 82 PID 4856 wrote to memory of 3320 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 82 PID 4856 wrote to memory of 3320 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 82 PID 4856 wrote to memory of 3056 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 83 PID 4856 wrote to memory of 3056 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 83 PID 4856 wrote to memory of 3056 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 83 PID 4856 wrote to memory of 3080 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 85 PID 4856 wrote to memory of 3080 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 85 PID 4856 wrote to memory of 3080 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 85 PID 4856 wrote to memory of 1480 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 88 PID 4856 wrote to memory of 1480 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 88 PID 4856 wrote to memory of 1480 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 88 PID 4856 wrote to memory of 3180 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 89 PID 4856 wrote to memory of 3180 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 89 PID 4856 wrote to memory of 3180 4856 f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe 89 PID 3180 wrote to memory of 2584 3180 LSASS.EXE 90 PID 3180 wrote to memory of 2584 3180 LSASS.EXE 90 PID 3180 wrote to memory of 2584 3180 LSASS.EXE 90 PID 3180 wrote to memory of 4820 3180 LSASS.EXE 91 PID 3180 wrote to memory of 4820 3180 LSASS.EXE 91 PID 3180 wrote to memory of 4820 3180 LSASS.EXE 91 PID 3180 wrote to memory of 2200 3180 LSASS.EXE 93 PID 3180 wrote to memory of 2200 3180 LSASS.EXE 93 PID 3180 wrote to memory of 2200 3180 LSASS.EXE 93 PID 3180 wrote to memory of 1068 3180 LSASS.EXE 95 PID 3180 wrote to memory of 1068 3180 LSASS.EXE 95 PID 3180 wrote to memory of 1068 3180 LSASS.EXE 95 PID 3180 wrote to memory of 2464 3180 LSASS.EXE 97 PID 3180 wrote to memory of 2464 3180 LSASS.EXE 97 PID 3180 wrote to memory of 2464 3180 LSASS.EXE 97 PID 3180 wrote to memory of 1860 3180 LSASS.EXE 99 PID 3180 wrote to memory of 1860 3180 LSASS.EXE 99 PID 3180 wrote to memory of 1860 3180 LSASS.EXE 99 PID 3180 wrote to memory of 2452 3180 LSASS.EXE 101 PID 3180 wrote to memory of 2452 3180 LSASS.EXE 101 PID 3180 wrote to memory of 2452 3180 LSASS.EXE 101 PID 3180 wrote to memory of 1472 3180 LSASS.EXE 104 PID 3180 wrote to memory of 1472 3180 LSASS.EXE 104 PID 3180 wrote to memory of 1472 3180 LSASS.EXE 104 PID 3180 wrote to memory of 2816 3180 LSASS.EXE 106 PID 3180 wrote to memory of 2816 3180 LSASS.EXE 106 PID 3180 wrote to memory of 2816 3180 LSASS.EXE 106 PID 3180 wrote to memory of 4728 3180 LSASS.EXE 108 PID 3180 wrote to memory of 4728 3180 LSASS.EXE 108 PID 3180 wrote to memory of 4728 3180 LSASS.EXE 108 PID 3180 wrote to memory of 968 3180 LSASS.EXE 110 PID 3180 wrote to memory of 968 3180 LSASS.EXE 110 PID 3180 wrote to memory of 968 3180 LSASS.EXE 110 PID 3180 wrote to memory of 876 3180 LSASS.EXE 112 PID 3180 wrote to memory of 876 3180 LSASS.EXE 112 PID 3180 wrote to memory of 876 3180 LSASS.EXE 112 PID 3180 wrote to memory of 2716 3180 LSASS.EXE 113 PID 3180 wrote to memory of 2716 3180 LSASS.EXE 113 PID 3180 wrote to memory of 2716 3180 LSASS.EXE 113 PID 2716 wrote to memory of 4828 2716 cmd.exe 115 PID 2716 wrote to memory of 4828 2716 cmd.exe 115 PID 2716 wrote to memory of 4828 2716 cmd.exe 115 PID 3180 wrote to memory of 1772 3180 LSASS.EXE 116 PID 3180 wrote to memory of 1772 3180 LSASS.EXE 116 PID 3180 wrote to memory of 1772 3180 LSASS.EXE 116 PID 1772 wrote to memory of 1580 1772 cmd.exe 118 PID 1772 wrote to memory of 1580 1772 cmd.exe 118 PID 1772 wrote to memory of 1580 1772 cmd.exe 118 PID 3180 wrote to memory of 3584 3180 LSASS.EXE 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f04c346d3404ac8d43e5d0a53ddade9c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F2⤵
- System Location Discovery: System Language Discovery
PID:3320
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F2⤵
- System Location Discovery: System Language Discovery
PID:3056
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok2⤵
- System Location Discovery: System Language Discovery
PID:3080
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1480
-
-
C:\Windows\SysWOW64\com\LSASS.EXE"C:\Windows\system32\com\LSASS.EXE"2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Indicator Removal: Clear Persistence
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F3⤵
- System Location Discovery: System Language Discovery
PID:2584
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F3⤵
- System Location Discovery: System Language Discovery
PID:4820
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\LSASS.EXE /e /t /g Admin:F3⤵
- System Location Discovery: System Language Discovery
PID:2200
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\LSASS.EXE /e /t /g Everyone:F3⤵
- System Location Discovery: System Language Discovery
PID:1068
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Admin:F3⤵
- System Location Discovery: System Language Discovery
PID:2464
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Everyone:F3⤵
- System Location Discovery: System Language Discovery
PID:1860
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok3⤵
- System Location Discovery: System Language Discovery
PID:2452
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\SMSS.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:1472
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\LSASS.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:2816
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\netcfg.000"3⤵
- System Location Discovery: System Language Discovery
PID:4728
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\netcfg.dll"3⤵
- System Location Discovery: System Language Discovery
PID:968
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:876
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|C:\pagefile.pif"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\com\SMSS.EXEC:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|C:\pagefile.pif4⤵
- Executes dropped EXE
PID:4828
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|D:\pagefile.pif"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\com\SMSS.EXEC:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|D:\pagefile.pif4⤵
- Executes dropped EXE
PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|E:\pagefile.pif"3⤵
- System Location Discovery: System Language Discovery
PID:3584 -
C:\Windows\SysWOW64\com\SMSS.EXEC:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|E:\pagefile.pif4⤵
- Executes dropped EXE
PID:1020
-
-
-
C:\Windows\SysWOW64\com\SMSS.EXEC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe3⤵
- Executes dropped EXE
PID:1280
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"3⤵
- System Location Discovery: System Language Discovery
PID:4540
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\bak"3⤵
- System Location Discovery: System Language Discovery
PID:2600
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|D:\pagefile.pif"3⤵
- System Location Discovery: System Language Discovery
PID:4700 -
C:\Windows\SysWOW64\com\SMSS.EXEC:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|D:\pagefile.pif4⤵
- Executes dropped EXE
PID:1768
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\bak"3⤵
- System Location Discovery: System Language Discovery
PID:216
-
-
C:\Windows\SysWOW64\ping.exeping.exe -f -n 1 www.baidu.com3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2168
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Discovery
Peripheral Device Discovery
1Query Registry
2Remote System Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
327KB
MD5f04c346d3404ac8d43e5d0a53ddade9c
SHA1fe67d3fa2e6f7cba1ddecbd602c85f6afeba3ea0
SHA256687e462b8258737846dbd465a671aa54445a0d04b8806e7038bf115715d4b6c0
SHA51285485992f4b956618496d771f0182ee4206176658d558c706536f07c629ba398eb08dc51e905bfbfae4dad8f644c5d586a82bae37ac6f3c508019b2ddf87fbc4
-
Filesize
44KB
MD5e63dcadc948e558dce82828078bd0661
SHA1517f75447adb13524d929251faa2fa79c93d8aad
SHA256511448c29fca76587f0e4a38ea2370726f5977e17850a904aedb1c58eecf0169
SHA5129a67916225fd484216746b4e9cefc3259cd154ad4fc33d2f8842ea8b141e3efbe4284ca740dde157d8df85244b3c35f54ac280a40f0d0f13144ba92667f59f9c
-
Filesize
20KB
MD5a4089e292d473cc4bee6499633f75ac1
SHA1e3ba401db3ad5df31eb2df48d539f0ace8bbafe8
SHA256ac95862f70201a84124100958d2dced7d02100b2faef8a3e79fd739209552863
SHA51239381d7e9bf788b7ebe0e6a8311e517abc2b8253d0d51ef6d62b8c213ff87126e00d75bcae06898f36cfa33763bd4aae0839bfb1ac6f69de39cf58ccea33aebf
-
Filesize
23KB
MD56461a28160d060b3dce284093e26101f
SHA107956df958f0eeed83a6972b5759aac3278d2126
SHA2563acd2810f366e2e80ef45d22443da09fea685ada794b42aeea680443b28ddda6
SHA512916572549dfe51169747ae0cb95b6facc01aef191d2a0fab98ecdeef43074541b3cba4a3b7639dcd03c3be310184436cd60bda4db03b53cdf6cf61b577e53b5a