Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 18:26
Static task
static1
Behavioral task
behavioral1
Sample
fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
General
-
Target
fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe
-
Size
851KB
-
MD5
fce3e2274c2d06fe2e10e5f5c492d93d
-
SHA1
7acfd8f04490fcc524d3db32026718bf3f15f663
-
SHA256
6f68e9504b620b6f04078e1e696a429d2757647f35101276af3de93f9042fe81
-
SHA512
304943e12f29cc05fa97718f50ed01eca4e99ff6d46531b1e1fbedf272d655c3e5520c1acc649d7008ff59f04ddb85abd015160e667367c7d8394c6d71c469a1
-
SSDEEP
12288:BMoVefu+XY93VM/6sSISPehPEYDxGhhkZEZivnNxaT0Iw5pkd3DUe/:BMPfuZMSsNN9GTmEsnlc5DUe/
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2940 DDB V. 1.0.exe -
Loads dropped DLL 7 IoCs
pid Process 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\J: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\M: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\N: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\O: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\S: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\L: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\Q: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\T: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\U: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\V: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\W: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\X: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\E: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\G: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\I: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\K: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\P: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\R: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\Y: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\Z: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened for modification F:\autorun.inf fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/1848-1-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-15-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-30-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-29-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-19-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-28-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-26-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-14-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-17-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-16-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-64-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-65-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-68-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-69-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-70-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-73-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-74-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-75-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-81-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-82-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-87-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-103-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-102-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-106-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-107-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-176-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-177-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-317-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-435-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx behavioral1/memory/1848-536-0x0000000001E90000-0x0000000002F4A000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7z.exe fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zG.exe fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\f77b5b8 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened for modification C:\Windows\SYSTEM.INI fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DDB V. 1.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b000000000200000000001066000000010000200000001953de9969f30b924430e58a35854bf341a1596984527a409b0f487e5bb7af3d000000000e8000000002000020000000e1f9b26560c4154be23594d772dd0b1c23a848b7526295eab4b578cd905d9b4220000000031fca6702ea1058d09c2eadbeb65c64e371a28ac49bd24d814ee13772a07b7f400000006c06559ed33d7791c04b8dcbe06b881cd0d879dbff49e75240510f9511b9a3ead348ceecc1f8474e2e2237ade163b7ed6b416f73e13d318af354ca563a382bfa iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b000000000200000000001066000000010000200000009432c8ccfcd7e4f80235721623fcc970b202db9f35cd6059b22494ac7b73acc6000000000e8000000002000020000000f2bbfb9a16ef69ae8618f61221048764e94e22edf5ee5431090bd5d8d49850b790000000479ff1f0fa5b531ea28438c26ae5a583083547a23c2e2e0dfc4964d22f785d5434faee889f843f70367dbafbfb8019e4fd564808bc42f114830883ee51dd62b0ad40610c9b7224f1188aee4c29b861bae08e3d30918961cc499951851d404be65665409039a8e17bbfa31b8e17fd9dba75dc2eaa62931a9d2d5203047d31fa517f1160b797b18ba53b77631bc1924325400000001e276af1af18acead68c655a2bf26980b57ac0ee149ae645a01b62167b35a2672282438f3075b68139403fad6910cc0d9bcf024de83fdaf9b52f6c5d8770fc5e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3F80EB01-7DC7-11EF-9704-E62D5E492327} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50524b18d411db01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433709887" iexplore.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\HELPDIR DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ToolboxBitmap32 DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA} DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\1 DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~sfx0026D167E0\\GIFviewer.ocx, 30000" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Control\ DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\FLAGS DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Control DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0 DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "_ucAniGIF" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\VERSION\ = "1.0" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0\win32 DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\Version = "1.0" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\VERSION DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290} DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\Version = "1.0" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "__ucAniGIF" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\InprocServer32 DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32 DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32 DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ = "WelchGIFviewer.ucAniGIF" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\ = "WelchGIFviewer.ucAniGIF" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155} DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\Version = "1.0" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "_ucAniGIF" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ProgID DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~sfx0026D167E0\\GIFviewer.ocx" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\Version = "1.0" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\TypeLib DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32 DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "__ucAniGIF" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32 DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~sfx0026D167E0" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~sfx0026D167E0\\GIFviewer.ocx" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "ucAniGIF" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\ = "WelchGIFviewer" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0 DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290} DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\ = "0" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\FLAGS\ = "2" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0} DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\1\ = "147857" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "ucAniGIF" DDB V. 1.0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1944 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2940 DDB V. 1.0.exe 2940 DDB V. 1.0.exe 1944 iexplore.exe 1944 iexplore.exe 1052 IEXPLORE.EXE 1052 IEXPLORE.EXE 1052 IEXPLORE.EXE 1052 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1848 wrote to memory of 2940 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 30 PID 1848 wrote to memory of 2940 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 30 PID 1848 wrote to memory of 2940 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 30 PID 1848 wrote to memory of 2940 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 30 PID 1848 wrote to memory of 1104 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 19 PID 1848 wrote to memory of 1168 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 20 PID 1848 wrote to memory of 1212 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 21 PID 1848 wrote to memory of 856 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 23 PID 2940 wrote to memory of 1944 2940 DDB V. 1.0.exe 31 PID 2940 wrote to memory of 1944 2940 DDB V. 1.0.exe 31 PID 2940 wrote to memory of 1944 2940 DDB V. 1.0.exe 31 PID 2940 wrote to memory of 1944 2940 DDB V. 1.0.exe 31 PID 1944 wrote to memory of 1052 1944 iexplore.exe 32 PID 1944 wrote to memory of 1052 1944 iexplore.exe 32 PID 1944 wrote to memory of 1052 1944 iexplore.exe 32 PID 1944 wrote to memory of 1052 1944 iexplore.exe 32 PID 1848 wrote to memory of 1104 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 19 PID 1848 wrote to memory of 1168 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 20 PID 1848 wrote to memory of 1212 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 21 PID 1848 wrote to memory of 856 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 23 PID 1848 wrote to memory of 2940 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 30 PID 1848 wrote to memory of 2940 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 30 PID 1848 wrote to memory of 1944 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 31 PID 1848 wrote to memory of 1052 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 32 PID 1848 wrote to memory of 1052 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 32 PID 1848 wrote to memory of 1104 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 19 PID 1848 wrote to memory of 1168 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 20 PID 1848 wrote to memory of 1212 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 21 PID 1848 wrote to memory of 856 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 23 PID 1848 wrote to memory of 1944 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 31 PID 1848 wrote to memory of 1104 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 19 PID 1848 wrote to memory of 1168 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 20 PID 1848 wrote to memory of 1212 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 21 PID 1848 wrote to memory of 856 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 23 PID 1848 wrote to memory of 1944 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 31 PID 1848 wrote to memory of 1104 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 19 PID 1848 wrote to memory of 1168 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 20 PID 1848 wrote to memory of 1212 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 21 PID 1848 wrote to memory of 856 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 23 PID 1848 wrote to memory of 1944 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 31 PID 1848 wrote to memory of 1104 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 19 PID 1848 wrote to memory of 1168 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 20 PID 1848 wrote to memory of 1212 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 21 PID 1848 wrote to memory of 856 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 23 PID 1848 wrote to memory of 1944 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 31 PID 1848 wrote to memory of 1104 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 19 PID 1848 wrote to memory of 1168 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 20 PID 1848 wrote to memory of 1212 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 21 PID 1848 wrote to memory of 856 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 23 PID 1848 wrote to memory of 1944 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 31 PID 1848 wrote to memory of 1104 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 19 PID 1848 wrote to memory of 1168 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 20 PID 1848 wrote to memory of 1212 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 21 PID 1848 wrote to memory of 856 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 23 PID 1848 wrote to memory of 1944 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 31 PID 1848 wrote to memory of 1104 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 19 PID 1848 wrote to memory of 1168 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 20 PID 1848 wrote to memory of 1212 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 21 PID 1848 wrote to memory of 856 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 23 PID 1848 wrote to memory of 1944 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 31 PID 1848 wrote to memory of 1104 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 19 PID 1848 wrote to memory of 1168 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 20 PID 1848 wrote to memory of 1212 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 21 PID 1848 wrote to memory of 856 1848 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 23 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1104
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\~sfx0026D167E0\DDB V. 1.0.exe"C:\Users\Admin\AppData\Local\Temp\~sfx0026D167E0\DDB V. 1.0.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.dabat.tk/4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1944 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1052
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:856
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD587271e1b6fa630cf6c4b3e38282c752f
SHA1d1a3b31b8e81db16ac7ce5d41b0a2f1a7d2e1f7c
SHA2568ca60a041630ac2635b609cebcda7f1dc2c62c7b321009377d4edda3c973c350
SHA5120c6bdcb7b1e125aa0abda567f99b72cb687c36d880bc1a572193322985a33895b9ab8a8dc767db0bc407524a45f5618eca5c4e7f9de245a71a5e53e1336acd36
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c1375f288baea10c13b77eb291768ed3
SHA1ac4d5b8b231f5967dec5dceb04fed4f6ba85a187
SHA256b485ef0c7417e95a24d2b2d5ac3a4ecf11faedc9a136d0f8e39c9979dcb061ad
SHA5122db2905d208640af041df935c236c0ab43789579903659770d22f37aec92f066c35cb1ddfa17645881041276f4fc59c1403900aee0887e3f553035edfebfddb3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD589e6c605ead5493ae51d9a2ccc94de30
SHA15c1b11360cfef1576832d2b4e03761a07a2d93c7
SHA2563c3b59de0552575cf25fd33fb0a2c73be1974b3d5c2e8c65f189bee68bcab84c
SHA512d257fdda8555141615d702bca63bdc593c90c47007230dada42b018109e3d9b136629d88d8c533aa51894b6b9103cc29ae3b327f99d2610eac45f57bf98a59d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51a911c115744d6469197b6ad4f902a8d
SHA196083bc05be9e7599b415fb83cf74520e51079db
SHA2562197673994bb7be89247ab3e254928997aa8eba9d437641c02bf655cb08a7502
SHA5124b0e2c99667623af1f4e7950d11d840d3db55cde919f84f35e8bf8ad769f92e4d3a9fcb2e4f8875307675b8b7747b6275691cc97d76a562752585f823e05eef5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50aab384c6fd34689900b702b9643d2d1
SHA115432c22fe61d5dfff6c9985ecaa7b9183263176
SHA256bb9f57811760e38fe95503d96133e00f568b7a609081b54536c322f7a51a1483
SHA512f43972d6ff689c96c0e72edfd9696ed5bbc03c3fbd572c8782ba2df69dbc8fe9a8f02c9fcc909f76d89e160b5ed2146ad80c59ceab04c4fadd6fda2b6c6dc071
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD518beb9974e491385e632d8f3f746e7aa
SHA1a807e8f30ab2d4f01aaadcc72e4e0de3dd06a1f2
SHA256126f50a7a34cc0c4885476ced140949547856c28ae6431f1cca40af980233d9b
SHA51283c2903031faa1235a3d70133ff064f24bdb5c71cb4471b87a0f72659260e1239dd698f83d6d2dbd9ab5810cc3d644065c563b833f20f192c4aa7d39869fb98a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f68dba0d6f05b035b72a7f95dcdb09c1
SHA1e015ab200aacf11e79fcff9fb0e93ad557a1158b
SHA2567d7ccfef6c138a2078fdd2d9685f5ac7e480fd7e7c8835256b8df9eb42497863
SHA512203e0e94f0c0f6bac909020e44ed04edbbea5af9d23f918f1ffe1bbc082ce1fe3986d943abf93c2b23014e8fc63c06faf81df03415e33669c327e006ea14089b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD507390eb961df78ad9bc4847f3d6d2acf
SHA157a8f61cb27cc7f9b44e4081f73a1bd3d141eced
SHA256f233d40a5395db655a93eb842c49c04583f0ca3cae88b67f57062ad857b747c1
SHA512eeb3739b67de2f0a36d77385a073813b7297ce09e9dbf5665b21c99be0b9896dfb8697cdac1855ee6cdba85a9df9b44b919efd4b54b4ef2f2f5e4d5ee13ce698
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53ff13ee575a9780f1c495e10fb83bc3a
SHA18f9abe0386c79566cdd0c1ce6d475921ae1c7ba6
SHA25676ac807d8b406423cef61588048b7f1da5654b7f97a41003e0b27abe1558cba3
SHA512f1a6d758dab55696f5ea9e4abf5db8bab5c1de78005be83c18f6bc4808b9fbb59f30d71628e87f8edcf8d711299cfccaf4a305b565c4cbe4e2d41596a3878359
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5aee758ff713050acfa5ae41196ee338f
SHA1b16cbcdc4634ce064c873ac427fa7de98a4c65df
SHA25644cd49b3f8019594c14adf85bb7d5d1285f2f996a96edb2c2826b34261e48137
SHA512e21154bce59eaf40ca5c92cf9f6e0583a43048a717d2a2acef1314448eebf19519e9f4032a7549a81f43f17da55c25492ef3046aa880ddf017e17f19ac62f82f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b8234d25cdaf258ce1ac984a94b92413
SHA1e6eb0a1c1e852ce16ae93ef7099d00cc52c2c672
SHA256e060eac390ee7ab4caedd76da0db9960c901bfef55ce228eceead079bb8174cb
SHA5126907ee6b93dd462dfd32ad884e1c951e5624c98a02e3bafaa6c13d6fcf005e9a509187de837cfcf4d2f6d78e884974100863646510770a2c86d80e8ea76d7ea6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b9eaa54885e9b1fd34e6f94bec12d84d
SHA194dcf4b97576f490ed44192ac014ce98d0516c59
SHA25684573cabd7712607e6df5bd14b00be3b7846175cadcbe601009c0332203c9708
SHA512f2ce0ce98ac0279208757b1d2adfc0d37aba0d6695d64d4eb8b050fd5a34e7f99ca5893b1424a28d5ae5b80ba0f385fb9c03a20b673f7a1e72320e8d698d5a3e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD565e4c4286ab6f745b19e43c772b01d2f
SHA1929014f9085977c5c42866600d901d0353663ca5
SHA256a69285e4918fc0a7cda2ca6d32236c744dc149e5b32d3628cb94f67bd99f5cf1
SHA5127d1f00d1e09a9def4994541fd6064b4aa648fd6253c2ab7d3514b10206cb3482ff10d050571bbf317308d21b7a99eb6087ef12357536823601f610359f2ba22e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c0c0014f1600fd307e3492f22352f478
SHA1267904fbc0218951e39a66188c033bf56032d619
SHA25655ce0b56b1e75663cd7a9567d3e59a8062abe9fa04352e47c5e4b2b15e73b329
SHA512f8a27564be70ff4cdfe5fa49328197f78fdec27308d0a6db5785887146ae1444f057275fe406d890d3041b6c729233e2b6b608fd58a8e9f1370b57221b63fdec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ff13fa1c7e2bf8afa85d36a463b0822b
SHA189082bdd06f4b7c556ace9339546c8b0c3169823
SHA256e7b2840c45e5887508c8530e4a3f641451543570729858bb49303829cd1862a3
SHA512fc484b3fb6d530efa9a347061ba57550f17e1dddd5b03fffd06ef0c652009fda71388961fe9c4bcf35c8e9f81131a3943e066273b8748a5d32c581ad001d2d09
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f9b896598d0ef0e1301650be2295865b
SHA1ffacaa46a3427d61639af367c98f41d10dc68d3e
SHA25607d740c8e59abeacfdf5621243713f8995ef02c8d40581b44b63bf4d5a4bb6cb
SHA51219de42265c5faf59f9b61739ca0304053a76e645e13305bcc5221c16ba05641baeca8522b56a4bb1e9174789074fd1f9e900cd7fbb1620c1431427157a009f0e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cfad7ee460890252e17ab869182e939d
SHA1b3b0648da7efb9eec80f7105876129f57d39eb7b
SHA256a86eb10d471f9005b963796441ba830b1ac3fb3862eda1acb862810025de9818
SHA512263d6ef648942215771978313be2de976fd562b077f4b51f9bf8c3530d539e090db4fa886d6f7d34b35f467ab94e43632603336e6e7101dc2814826c9f9f0e0c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ebdd3568f78562b239052d5041480f14
SHA18270b3b0d402434ddec737a628532b5866ad2b0b
SHA256646d9e22f4023b0d40ca14ee11d55e0236d49f92e5f784aa3444d9ad0aae9491
SHA5122d0e2b6df506ae0d06e458c789ad2ee3751171d7df8079c4dfadb8a54d6497d40bb08ce9ecbbc9bd64b60dc73f7a9998410b777613c90d0bfa3364805f811713
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ce79bfb1cae203b57258c80f5d2005ea
SHA15afcd59de5562fedb6cc10010eb31b7fa53b01ac
SHA2568bebf23e354fd0f5d76b7631d799e86c52769d6b62aea4c96901132183335551
SHA5127f88e90cadbbee16b1621644781d710e661bd05b5a70bc4a76b063383cd8b73d8ca1d47ea35c8cb59053dc70057b0355de7707318a39d63aec26e04705a7fd98
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dfd0eccb5a4f67ed7a4fe159e04ef5e7
SHA1b1c2edfd1d73fa0799b81dfe39a26232a1e7dec6
SHA2563a335a8e1341e2ca45729f917f0ce557f86af9ad625842be6ccc67d779c4452b
SHA5121fc7d4e69e4e61c1700c4aff5e206caecd1281dca40a5c3d72569d8bf9a45652cccd9cf9d590e6329436476320ff49de0c6212dfbbd4011ecdaeec148ffe66db
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
260KB
MD599daec22ea48c348ee431c334d69feae
SHA195174432ddc9576a21dc3281a23926b67c4abb91
SHA256bcf12f89c864b93a826ef9ef96a2cc238f105f1e3c45e0d24eee16af47f83219
SHA5122ec5eaacaa25cd8d00c9b0f5dfbe332b4afa4c283bc1f9d9e8f282c6979776ae5d58a086ffa720e52d14ee787ec301e8fd3a3b7f24e808dc0f11f09ad12b346e
-
Filesize
97KB
MD531a14c6c6e300a3209302bcad0b98a43
SHA124a29caaf20835e67d80aa4c64a4d8ca12d2ce0a
SHA256ce85b7566c0babb68fe649bcd704a70d2352ca8226b67b214dce257fdcc37a34
SHA512f976d142340710760ae0a6b99592b2e312b3a13414ab3feec9be95c7dc6085d64b52bf0165133b8346dc87a422fda411fa8fd09b0506157b428ec1ed861ce2a4
-
Filesize
100KB
MD573404435b36b8cb9ea68be6d4249488e
SHA1ecd6f0e28c4f4ac6c1943a7647f42a5d91c14f02
SHA2562123cadad9f7da81601c5e09105a569fedda561b4b12e87f0c0f6b4afa286e5c
SHA512e260099024bdc4711ef068455e350cb400042f5fd5066b07b024e49b8a13b6c058347f2e4e68ff73704358b51db851e4e06c28cb2f3cd36b64d9023c748dcad7