029bb2aa2ba31f1b8193f2b392e96f7c8be92efeec4a6f2c551d43f30b5678f6

Analysis

max time kernel
148s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Size

500KB
MD5

feea738c5a1eb0b22d65f78dd78caa62
SHA1

5032cef9e8540b8c596c244dbf6612e4c3e16d36
SHA256

029bb2aa2ba31f1b8193f2b392e96f7c8be92efeec4a6f2c551d43f30b5678f6
SHA512

f5cfdfb267c31444a23d94066a2d1e8a12c32cf8d4eb80c38a15db941c884008fb4c898238a3c2e590243664cca55cd6ac651aff12024253b8091a7a3a779292
SSDEEP

12288:54+baNi4nlm+3aIRfW499u9V3iqJ2DcbOTnLR:WGaNi4lH3ayW49g9IfDcbmV

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Roaming\\feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E67FE80C-87FF-ACAD-4BF2-DAB6BB02E4AF}	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E67FE80C-87FF-ACAD-4BF2-DAB6BB02E4AF}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{E67FE80C-87FF-ACAD-4BF2-DAB6BB02E4AF}	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components\{E67FE80C-87FF-ACAD-4BF2-DAB6BB02E4AF}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
1984	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
1984	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 2136	1984	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	33

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2136-28-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/2136-35-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/2136-27-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/2136-36-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/2136-37-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/2136-34-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/2136-31-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/2136-50-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/2136-55-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/2136-57-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/2136-58-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/2136-59-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/2136-62-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/2136-66-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/2136-67-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/2136-71-0x0000000000400000-0x00000000004DA000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3028	reg.exe
3052	reg.exe
2672	reg.exe
1688	reg.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: 1	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeTcbPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeSecurityPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeBackupPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeRestorePrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeShutdownPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeDebugPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeAuditPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeUndockPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: 31	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: 32	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: 33	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: 34	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: 35	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
Token: SeDebugPrivilege	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2188	1984	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2188	1984	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2188	1984	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2188	1984	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	30
PID 2188 wrote to memory of 3044	2188	csc.exe	32
PID 2188 wrote to memory of 3044	2188	csc.exe	32
PID 2188 wrote to memory of 3044	2188	csc.exe	32
PID 2188 wrote to memory of 3044	2188	csc.exe	32
PID 1984 wrote to memory of 2136	1984	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	33
PID 1984 wrote to memory of 2136	1984	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	33
PID 1984 wrote to memory of 2136	1984	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	33
PID 1984 wrote to memory of 2136	1984	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	33
PID 1984 wrote to memory of 2136	1984	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	33
PID 1984 wrote to memory of 2136	1984	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	33
PID 1984 wrote to memory of 2136	1984	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	33
PID 1984 wrote to memory of 2136	1984	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	33
PID 2136 wrote to memory of 2852	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	34
PID 2136 wrote to memory of 2852	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	34
PID 2136 wrote to memory of 2852	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	34
PID 2136 wrote to memory of 2852	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	34
PID 2136 wrote to memory of 2880	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	35
PID 2136 wrote to memory of 2880	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	35
PID 2136 wrote to memory of 2880	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	35
PID 2136 wrote to memory of 2880	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	35
PID 2136 wrote to memory of 2840	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	37
PID 2136 wrote to memory of 2840	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	37
PID 2136 wrote to memory of 2840	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	37
PID 2136 wrote to memory of 2840	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	37
PID 2136 wrote to memory of 1784	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	38
PID 2136 wrote to memory of 1784	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	38
PID 2136 wrote to memory of 1784	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	38
PID 2136 wrote to memory of 1784	2136	feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe	38
PID 1784 wrote to memory of 2672	1784	cmd.exe	42
PID 1784 wrote to memory of 2672	1784	cmd.exe	42
PID 1784 wrote to memory of 2672	1784	cmd.exe	42
PID 1784 wrote to memory of 2672	1784	cmd.exe	42
PID 2852 wrote to memory of 3028	2852	cmd.exe	43
PID 2852 wrote to memory of 3028	2852	cmd.exe	43
PID 2852 wrote to memory of 3028	2852	cmd.exe	43
PID 2852 wrote to memory of 3028	2852	cmd.exe	43
PID 2880 wrote to memory of 3052	2880	cmd.exe	44
PID 2880 wrote to memory of 3052	2880	cmd.exe	44
PID 2880 wrote to memory of 3052	2880	cmd.exe	44
PID 2880 wrote to memory of 3052	2880	cmd.exe	44
PID 2840 wrote to memory of 1688	2840	cmd.exe	45
PID 2840 wrote to memory of 1688	2840	cmd.exe	45
PID 2840 wrote to memory of 1688	2840	cmd.exe	45
PID 2840 wrote to memory of 1688	2840	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pegfwj-v.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES867F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC867E.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3044
- C:\Users\Admin\AppData\Roaming\feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
  C:\Users\Admin\AppData\Roaming\feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\explorer.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\explorer.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES867F.tmp

Filesize
1KB

MD5
5ff2c04f16b441331d07df86c2f09a03

SHA1
cb43ff5203ac64914f3a1867c18ee333b109605a

SHA256
055f30c26ee03fe526b64bd543e0ba45632c68bcc627dbb5f9d2a53a9f99b6fb

SHA512
e063191fbcb28379d02017849acaa5f99e3f9078a32e9ce2bfc5c1e18784e4de8804a83c2b41d1b8870b92cc2ce7d90753255e2b25dcdf121923826d1d816893

Download Submit
C:\Users\Admin\AppData\Local\Temp\pegfwj-v.dll

Filesize
5KB

MD5
a934ff52bf83c89a76af43da9104bddf

SHA1
7e00da72764a8ac2ad929fa2f64d573b2c881487

SHA256
4db562dd512a09e1cab30352352aa203c11eebd6a8b3270bf5a4ddd5ad3d7e13

SHA512
3f1806245464dd54ff7b1d172ad020494429b674c1898d559cf99af3c312ea3990c89111557974838195c0726c1d3092d440d439d008d2c0d43d7d1e9ecf0905

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC867E.tmp

Filesize
652B

MD5
c71644a0d3e19d1b9f2415a5bd9fb5c4

SHA1
4b595e74ba311bf069bf988fdb4914f4b7ad2528

SHA256
c24ee38f07b4bc6739e8fa91257204dd973634a418e97c04427d9e1cac2b3505

SHA512
946317b4acb346356f421b477a5181b523b9d2d36e0aa2fadfec28cf5c17bf406439f9133420e60178820ed1a32784669454715d05573f85b9aeae62dbc34b01

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pegfwj-v.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pegfwj-v.cmdline

Filesize
206B

MD5
68a911a8a7be964b7e0a97e045566b1c

SHA1
b2e65bb7963ff01027a32f25a8148a6c7ca86f08

SHA256
7e696e95ad5581016d2aac1a20cdbe6cc5f8267472fd9e448cbbbacdeef858f3

SHA512
aef0910d38834b19fdb46006ef67d9cc551fd0f8a0a234423990163b046687deaa77cd7f99006054f984334f1cd5179de86449bd1f3e5bbba1061bd9ef0e652d

Download Submit
\Users\Admin\AppData\Roaming\feea738c5a1eb0b22d65f78dd78caa62_JaffaCakes118.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
memory/1984-39-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/1984-1-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/1984-0-0x0000000074F11000-0x0000000074F12000-memory.dmp

Filesize
4KB

Download
memory/1984-2-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/2136-49-0x0000000077310000-0x0000000077420000-memory.dmp

Filesize
1.1MB

Download
memory/2136-47-0x0000000077310000-0x0000000077420000-memory.dmp

Filesize
1.1MB

Download
memory/2136-28-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2136-35-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2136-27-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2136-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2136-36-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2136-37-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2136-71-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2136-34-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2136-31-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2136-67-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2136-48-0x0000000077310000-0x0000000077420000-memory.dmp

Filesize
1.1MB

Download
memory/2136-25-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2136-46-0x0000000077328000-0x0000000077329000-memory.dmp

Filesize
4KB

Download
memory/2136-50-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2136-51-0x0000000077310000-0x0000000077420000-memory.dmp

Filesize
1.1MB

Download
memory/2136-52-0x0000000077310000-0x0000000077420000-memory.dmp

Filesize
1.1MB

Download
memory/2136-54-0x0000000077310000-0x0000000077420000-memory.dmp

Filesize
1.1MB

Download
memory/2136-55-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2136-57-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2136-58-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2136-59-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2136-62-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2136-66-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2188-8-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/2188-15-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads