Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 18:26
Static task
static1
Behavioral task
behavioral1
Sample
fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe
-
Size
851KB
-
MD5
fce3e2274c2d06fe2e10e5f5c492d93d
-
SHA1
7acfd8f04490fcc524d3db32026718bf3f15f663
-
SHA256
6f68e9504b620b6f04078e1e696a429d2757647f35101276af3de93f9042fe81
-
SHA512
304943e12f29cc05fa97718f50ed01eca4e99ff6d46531b1e1fbedf272d655c3e5520c1acc649d7008ff59f04ddb85abd015160e667367c7d8394c6d71c469a1
-
SSDEEP
12288:BMoVefu+XY93VM/6sSISPehPEYDxGhhkZEZivnNxaT0Iw5pkd3DUe/:BMPfuZMSsNN9GTmEsnlc5DUe/
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3176 DDB V. 1.0.exe -
Loads dropped DLL 2 IoCs
pid Process 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\T: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\Z: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\G: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\M: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\O: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\W: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\H: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\J: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\K: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\L: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\Q: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\S: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\V: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\I: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\N: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\P: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\U: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\X: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\Y: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened (read-only) \??\E: fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened for modification F:\autorun.inf fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/3940-1-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-3-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-5-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-27-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-20-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-19-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-4-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-29-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-31-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-30-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-50-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-51-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-61-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-68-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-70-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-97-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-104-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-105-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-111-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-118-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-119-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-125-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-127-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-139-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-140-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-144-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-145-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-151-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-152-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-156-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-166-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-168-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-169-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-171-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-175-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-176-0x00000000022C0000-0x000000000337A000-memory.dmp upx behavioral2/memory/3940-177-0x00000000022C0000-0x000000000337A000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7z.exe fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zG.exe fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e578676 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe File opened for modification C:\Windows\SYSTEM.INI fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DDB V. 1.0.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290} DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\ = "WelchGIFviewer" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155} DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "_ucAniGIF" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\1\ = "147857" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\TypeLib DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\Clsid DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155} DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ToolboxBitmap32 DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32 DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Control\ DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0\win32 DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "__ucAniGIF" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\VERSION\ = "1.0" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0 DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0 DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~sfx0026D167E0\\GIFviewer.ocx, 30000" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\ = "0" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\Version = "1.0" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\VERSION DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA} DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\FLAGS\ = "2" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\1 DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "__ucAniGIF" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0} DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32 DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\InprocServer32 DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\ = "WelchGIFviewer.ucAniGIF" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\HELPDIR DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290} DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\Version = "1.0" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~sfx0026D167E0\\GIFviewer.ocx" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~sfx0026D167E0" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32 DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Control DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ProgID DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~sfx0026D167E0\\GIFviewer.ocx" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\FLAGS DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "ucAniGIF" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ProgID\ = "WelchGIFviewer.ucAniGIF" DDB V. 1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "ucAniGIF" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "_ucAniGIF" DDB V. 1.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\Version = "1.0" DDB V. 1.0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 1316 msedge.exe 1316 msedge.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 372 msedge.exe 372 msedge.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe Token: SeDebugPrivilege 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe 372 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3176 DDB V. 1.0.exe 3176 DDB V. 1.0.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3940 wrote to memory of 756 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 8 PID 3940 wrote to memory of 764 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 9 PID 3940 wrote to memory of 316 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 13 PID 3940 wrote to memory of 2544 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 42 PID 3940 wrote to memory of 2552 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 43 PID 3940 wrote to memory of 2824 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 50 PID 3940 wrote to memory of 3448 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 56 PID 3940 wrote to memory of 3660 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 57 PID 3940 wrote to memory of 3848 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 58 PID 3940 wrote to memory of 3964 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 59 PID 3940 wrote to memory of 4028 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 60 PID 3940 wrote to memory of 692 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 61 PID 3940 wrote to memory of 3880 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 62 PID 3940 wrote to memory of 2388 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 74 PID 3940 wrote to memory of 3668 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 76 PID 3940 wrote to memory of 3176 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 82 PID 3940 wrote to memory of 3176 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 82 PID 3940 wrote to memory of 3176 3940 fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe 82 PID 3176 wrote to memory of 372 3176 DDB V. 1.0.exe 83 PID 3176 wrote to memory of 372 3176 DDB V. 1.0.exe 83 PID 372 wrote to memory of 1064 372 msedge.exe 84 PID 372 wrote to memory of 1064 372 msedge.exe 84 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 2216 372 msedge.exe 85 PID 372 wrote to memory of 1316 372 msedge.exe 86 PID 372 wrote to memory of 1316 372 msedge.exe 86 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:756
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2544
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2552
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2824
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fce3e2274c2d06fe2e10e5f5c492d93d_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\~sfx0026D167E0\DDB V. 1.0.exe"C:\Users\Admin\AppData\Local\Temp\~sfx0026D167E0\DDB V. 1.0.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.dabat.tk/4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff636c46f8,0x7fff636c4708,0x7fff636c47185⤵PID:1064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1471700774044028455,9834852819217076974,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:25⤵PID:2216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,1471700774044028455,9834852819217076974,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,1471700774044028455,9834852819217076974,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:85⤵PID:1028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1471700774044028455,9834852819217076974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:15⤵PID:1264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1471700774044028455,9834852819217076974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:15⤵PID:2192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1471700774044028455,9834852819217076974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:15⤵PID:3996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1471700774044028455,9834852819217076974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:15⤵PID:2356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1471700774044028455,9834852819217076974,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:85⤵PID:4436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1471700774044028455,9834852819217076974,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:85⤵PID:4608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1471700774044028455,9834852819217076974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:15⤵PID:1904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1471700774044028455,9834852819217076974,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:15⤵PID:4600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1471700774044028455,9834852819217076974,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:15⤵PID:2444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1471700774044028455,9834852819217076974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:15⤵PID:4392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1471700774044028455,9834852819217076974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2064 /prefetch:15⤵PID:524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1471700774044028455,9834852819217076974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1048 /prefetch:15⤵PID:3516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1471700774044028455,9834852819217076974,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5668 /prefetch:25⤵PID:1484
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3660
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3848
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3964
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4028
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:692
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3880
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2388
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3668
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4612
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1080
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:636
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5b9569e123772ae290f9bac07e0d31748
SHA15806ed9b301d4178a959b26d7b7ccf2c0abc6741
SHA25620ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b
SHA512cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795
-
Filesize
152B
MD5eeaa8087eba2f63f31e599f6a7b46ef4
SHA1f639519deee0766a39cfe258d2ac48e3a9d5ac03
SHA25650fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9
SHA512eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c
-
Filesize
6KB
MD535769724dd277641b1f246620e411a95
SHA15aa2da54414ba0f88368d076e1125ca4735618df
SHA2566c4c1fdd9c25fc47a40ea530c13f25bb1054a9bcf50d0d6aad93965d80b894ad
SHA5126b6bd3812ba183be22498268eb4f3b253784f30def841a2cd8fb4f22f30e97638df72bba337118ff583bfd7e87a622b3fa6e3a9eab81a9d078065cad768b16e9
-
Filesize
5KB
MD549c64b21401867791e1a6cd64bafa538
SHA191a937006fa5812f0e54f0e98816d5eeeeb88764
SHA256c1f54c6590dbb5ebb71949b3b67205ec46ad9eecda34cf5f8c35fde06b581043
SHA5122daf0d9463b9cee70b09fb07170653875f2bea0aa2c91acd65e2108cb33f03a9f9d5f0911b67eb8f252716fad7fb23ce0f18a170476efd6774b93936a31a83cb
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD569c9945efc8f33033fd8bd16767dae19
SHA13f2d93a5e7bc68e9c03bd5ef8f698dcb02f82cac
SHA256fd1302188d405901ac7a7468051e55f0d0f256ffe755a88d0e0ce841a612e158
SHA5127f66118e233b3bf7be85a08d4cc394c61458bce5c2c458698e64599553f49471e30dcc041022976efc332c10d405fba42fbe51978346425668c51f06b7b1c947
-
Filesize
10KB
MD52e2d58c7def64d5a4cf9758388ed5c46
SHA118268a96ce54550abf651522444899e5feeda89a
SHA256baa969e20195861b39abfacf2fa35e6356762de0aca8ba5de5a16abb3f9162cc
SHA51253cb22cc4bc8f385c3094a10ef44c53e313c371b305f75630000daa460e2ab3346037e13a235533eae908f17c2d8dbd0902b1d02a6d307a8e2fa629fc1141270
-
Filesize
260KB
MD599daec22ea48c348ee431c334d69feae
SHA195174432ddc9576a21dc3281a23926b67c4abb91
SHA256bcf12f89c864b93a826ef9ef96a2cc238f105f1e3c45e0d24eee16af47f83219
SHA5122ec5eaacaa25cd8d00c9b0f5dfbe332b4afa4c283bc1f9d9e8f282c6979776ae5d58a086ffa720e52d14ee787ec301e8fd3a3b7f24e808dc0f11f09ad12b346e
-
Filesize
100KB
MD573404435b36b8cb9ea68be6d4249488e
SHA1ecd6f0e28c4f4ac6c1943a7647f42a5d91c14f02
SHA2562123cadad9f7da81601c5e09105a569fedda561b4b12e87f0c0f6b4afa286e5c
SHA512e260099024bdc4711ef068455e350cb400042f5fd5066b07b024e49b8a13b6c058347f2e4e68ff73704358b51db851e4e06c28cb2f3cd36b64d9023c748dcad7
-
Filesize
97KB
MD50f9daee2381c85988ae0ebaa155169e1
SHA17bc9139171a15cfda3adb31dbe10465adc130f0f
SHA256c87daeb8e5b37836380afe4bb079d6a90d73bc9ad4f5ab01f087dbfceafc7c2e
SHA512056399e5609d180d56c3938268bf408173ba041189bf388a87c66faa4cf994f82e55e3aa819aa25bc64a4d1009a02f6fb3db00c8e4283602ce50ef94a38ef283