Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 00:20
Static task
static1
Behavioral task
behavioral1
Sample
03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe
-
Size
82KB
-
MD5
03bd7cae039e262c631fb39ebc1211ff
-
SHA1
06d4dff49e1bdbf84d4b73d76d82229b743c2cd6
-
SHA256
1dbbbc1945c70764b2fd23abe297dd0491887310aaeacb8df57c52217795a346
-
SHA512
4013b7227fbb55b7c4bf4c719fdd20c41f7440fb885e6bca5faefb98678e17b3c02365202d250d30d903617cf82f6a5b37f090b23f27d4bf0fa7ec564a4b4673
-
SSDEEP
1536:sbOJvHdltZsCzWt7IEllRLgToq6MBivJR:sbEv/tZo+EllRLgToq6MBiv3
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\windows\\system32\\drivers\\svchost.exe" 03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe -
Drops file in Drivers directory 4 IoCs
description ioc Process File created C:\WINDOWS\system32\drivers\stub.exe 03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe File created C:\windows\system32\drivers\svchost.exe 03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe File created C:\windows\system32\drivers\tmpp.exe 03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe File created C:\WINDOWS\system32\drivers\Interop.MessengerAPI.dll 03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation temp.exe -
Executes dropped EXE 64 IoCs
pid Process 892 temp.exe 3692 temp.exe 5008 temp.exe 912 temp.exe 1320 temp.exe 2332 temp.exe 1576 temp.exe 736 temp.exe 2508 temp.exe 460 temp.exe 2144 temp.exe 3536 temp.exe 4396 temp.exe 4592 temp.exe 660 temp.exe 3608 temp.exe 2840 temp.exe 3628 temp.exe 4364 temp.exe 1816 temp.exe 1752 temp.exe 892 temp.exe 2140 temp.exe 4360 temp.exe 4300 temp.exe 772 temp.exe 3728 temp.exe 2448 temp.exe 4940 temp.exe 1336 temp.exe 316 temp.exe 1756 temp.exe 2096 temp.exe 3276 temp.exe 5052 temp.exe 220 temp.exe 3008 temp.exe 4252 temp.exe 4364 temp.exe 432 temp.exe 2692 temp.exe 4584 temp.exe 3032 temp.exe 2128 temp.exe 1320 temp.exe 2300 temp.exe 824 temp.exe 3416 temp.exe 4788 temp.exe 4728 temp.exe 2820 temp.exe 3464 temp.exe 2456 temp.exe 2144 temp.exe 4620 temp.exe 3276 temp.exe 3496 temp.exe 5052 temp.exe 4604 temp.exe 2980 temp.exe 4252 temp.exe 2704 temp.exe 2492 temp.exe 4356 temp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification F:\recycler\S-1-5-21-8749679017-0950430147-468708784-3200\desktop.ini 03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe File created F:\recycler\S-1-5-21-8749679017-0950430147-468708784-3200\desktop.ini 03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe, C:\\WINDOWS\\system32\\dllcache\\recycled.exe" 03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created F:\autorun.inf 03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe File opened for modification F:\autorun.inf 03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\WINDOWS\system32\pptemp.txt 03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\dllcache\recycled.exe 03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\dllcache\tmp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe File created C:\WINDOWS\system32\temp.exe temp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3820 03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3820 wrote to memory of 892 3820 03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe 82 PID 3820 wrote to memory of 892 3820 03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe 82 PID 892 wrote to memory of 3692 892 temp.exe 83 PID 892 wrote to memory of 3692 892 temp.exe 83 PID 3692 wrote to memory of 5008 3692 temp.exe 84 PID 3692 wrote to memory of 5008 3692 temp.exe 84 PID 5008 wrote to memory of 912 5008 temp.exe 85 PID 5008 wrote to memory of 912 5008 temp.exe 85 PID 912 wrote to memory of 1320 912 temp.exe 86 PID 912 wrote to memory of 1320 912 temp.exe 86 PID 1320 wrote to memory of 2332 1320 temp.exe 87 PID 1320 wrote to memory of 2332 1320 temp.exe 87 PID 2332 wrote to memory of 1576 2332 temp.exe 88 PID 2332 wrote to memory of 1576 2332 temp.exe 88 PID 1576 wrote to memory of 736 1576 temp.exe 91 PID 1576 wrote to memory of 736 1576 temp.exe 91 PID 736 wrote to memory of 2508 736 temp.exe 94 PID 736 wrote to memory of 2508 736 temp.exe 94 PID 2508 wrote to memory of 460 2508 temp.exe 95 PID 2508 wrote to memory of 460 2508 temp.exe 95 PID 460 wrote to memory of 2144 460 temp.exe 96 PID 460 wrote to memory of 2144 460 temp.exe 96 PID 2144 wrote to memory of 3536 2144 temp.exe 97 PID 2144 wrote to memory of 3536 2144 temp.exe 97 PID 3536 wrote to memory of 4396 3536 temp.exe 99 PID 3536 wrote to memory of 4396 3536 temp.exe 99 PID 4396 wrote to memory of 4592 4396 temp.exe 100 PID 4396 wrote to memory of 4592 4396 temp.exe 100 PID 4592 wrote to memory of 660 4592 temp.exe 101 PID 4592 wrote to memory of 660 4592 temp.exe 101 PID 660 wrote to memory of 3608 660 temp.exe 102 PID 660 wrote to memory of 3608 660 temp.exe 102 PID 3608 wrote to memory of 2840 3608 temp.exe 105 PID 3608 wrote to memory of 2840 3608 temp.exe 105 PID 2840 wrote to memory of 3628 2840 temp.exe 106 PID 2840 wrote to memory of 3628 2840 temp.exe 106 PID 3628 wrote to memory of 4364 3628 temp.exe 107 PID 3628 wrote to memory of 4364 3628 temp.exe 107 PID 4364 wrote to memory of 1816 4364 temp.exe 108 PID 4364 wrote to memory of 1816 4364 temp.exe 108 PID 1816 wrote to memory of 1752 1816 temp.exe 109 PID 1816 wrote to memory of 1752 1816 temp.exe 109 PID 1752 wrote to memory of 892 1752 temp.exe 110 PID 1752 wrote to memory of 892 1752 temp.exe 110 PID 892 wrote to memory of 2140 892 temp.exe 111 PID 892 wrote to memory of 2140 892 temp.exe 111 PID 2140 wrote to memory of 4360 2140 temp.exe 112 PID 2140 wrote to memory of 4360 2140 temp.exe 112 PID 4360 wrote to memory of 4300 4360 temp.exe 113 PID 4360 wrote to memory of 4300 4360 temp.exe 113 PID 4300 wrote to memory of 772 4300 temp.exe 114 PID 4300 wrote to memory of 772 4300 temp.exe 114 PID 772 wrote to memory of 3728 772 temp.exe 115 PID 772 wrote to memory of 3728 772 temp.exe 115 PID 3728 wrote to memory of 2448 3728 temp.exe 116 PID 3728 wrote to memory of 2448 3728 temp.exe 116 PID 2448 wrote to memory of 4940 2448 temp.exe 117 PID 2448 wrote to memory of 4940 2448 temp.exe 117 PID 4940 wrote to memory of 1336 4940 temp.exe 118 PID 4940 wrote to memory of 1336 4940 temp.exe 118 PID 1336 wrote to memory of 316 1336 temp.exe 119 PID 1336 wrote to memory of 316 1336 temp.exe 119 PID 316 wrote to memory of 1756 316 temp.exe 120 PID 316 wrote to memory of 1756 316 temp.exe 120 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03bd7cae039e262c631fb39ebc1211ff_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3820 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:460 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"24⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"26⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"28⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"33⤵
- Executes dropped EXE
PID:1756 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"34⤵
- Executes dropped EXE
PID:2096 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"35⤵
- Checks computer location settings
- Executes dropped EXE
PID:3276 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5052 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:220 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
PID:3008 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4252 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"40⤵
- Executes dropped EXE
PID:4364 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"41⤵
- Checks computer location settings
- Executes dropped EXE
PID:432 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2692 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"43⤵
- Executes dropped EXE
PID:4584 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"44⤵
- Executes dropped EXE
PID:3032 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"45⤵
- Executes dropped EXE
PID:2128 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1320 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"47⤵
- Executes dropped EXE
PID:2300 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"48⤵
- Executes dropped EXE
PID:824 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"49⤵
- Checks computer location settings
- Executes dropped EXE
PID:3416 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"50⤵
- Checks computer location settings
- Executes dropped EXE
PID:4788 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"51⤵
- Executes dropped EXE
PID:4728 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"52⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2820 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"53⤵
- Checks computer location settings
- Executes dropped EXE
PID:3464 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"54⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2456 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"55⤵
- Executes dropped EXE
PID:2144 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"56⤵
- Checks computer location settings
- Executes dropped EXE
PID:4620 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"57⤵
- Executes dropped EXE
PID:3276 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"58⤵
- Executes dropped EXE
PID:3496 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5052 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"60⤵
- Checks computer location settings
- Executes dropped EXE
PID:4604 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"61⤵
- Executes dropped EXE
PID:2980 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"62⤵
- Executes dropped EXE
PID:4252 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"63⤵
- Executes dropped EXE
PID:2704 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2492 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"65⤵
- Checks computer location settings
- Executes dropped EXE
PID:4356 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"66⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1980 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"67⤵
- Drops file in System32 directory
PID:4308 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"68⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1700 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"69⤵
- Checks computer location settings
PID:2272 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"70⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4300 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"71⤵
- Checks computer location settings
PID:2332 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"72⤵PID:2828
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"73⤵
- Drops file in System32 directory
PID:2364 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"74⤵
- Checks computer location settings
- Drops file in System32 directory
PID:736 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"75⤵
- Drops file in System32 directory
PID:3656 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"76⤵
- Checks computer location settings
PID:4396 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"77⤵PID:3464
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"78⤵PID:800
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"79⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3232 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"80⤵PID:3632
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"81⤵
- Drops file in System32 directory
PID:212 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"82⤵
- Checks computer location settings
PID:2840 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"83⤵PID:2188
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"84⤵
- Drops file in System32 directory
PID:1996 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"85⤵PID:4800
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"86⤵
- Drops file in System32 directory
PID:1316 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"87⤵PID:2388
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"88⤵PID:1936
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"89⤵PID:4852
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"90⤵
- Drops file in System32 directory
PID:4008 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"91⤵PID:608
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"92⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2128 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"93⤵
- Drops file in System32 directory
PID:3268 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"94⤵PID:1464
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"95⤵PID:4228
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"96⤵
- Checks computer location settings
PID:2968 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"97⤵PID:1180
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"98⤵PID:4804
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"99⤵PID:1336
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"100⤵
- Drops file in System32 directory
PID:364 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"101⤵
- Checks computer location settings
- Drops file in System32 directory
PID:324 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"102⤵PID:856
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"103⤵
- Drops file in System32 directory
PID:3464 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"104⤵PID:2144
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"105⤵
- Drops file in System32 directory
PID:1624 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"106⤵
- Checks computer location settings
PID:2908 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"107⤵PID:224
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"108⤵PID:2840
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"109⤵PID:2188
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"110⤵
- Drops file in System32 directory
PID:3324 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"111⤵
- Checks computer location settings
PID:1604 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"112⤵PID:4344
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"113⤵PID:3868
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"114⤵
- Drops file in System32 directory
PID:4176 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"115⤵
- Drops file in System32 directory
PID:4852 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"116⤵PID:4008
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"117⤵PID:648
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"118⤵PID:3168
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"119⤵
- Checks computer location settings
PID:2272 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"120⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4300 -
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"121⤵PID:1576
-
C:\WINDOWS\system32\dllcache\temp.exe"C:\WINDOWS\system32\dllcache\temp.exe"122⤵PID:512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-