4081a1df48df595dc59bb733841e53968817fc010e015b55f2570a85f16615cc

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 10:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe
Size

19KB
MD5

058a83deb4b5ca454a576c5e84df09f0
SHA1

de9c5000cd6e888c5d4c7f21621475f9f66ba0b7
SHA256

4081a1df48df595dc59bb733841e53968817fc010e015b55f2570a85f16615cc
SHA512

cc21d00c303dcd7c35cb50bb7aa61fbd6243d31ee4ba50906af6b248a49b66c2ddcb8acbeb58d134066b989ca423cccea9c1620388388fd052f7d9f72be64008
SSDEEP

384:g58AcUoUQKNRYELxQUHDvmk3E+KDvB77777J77c77c77c72qh5Xd0PDAMlQ:g5BOFKksO1mE9B77777J77c77c77c71b

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\2F0A0C6.exe\""	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\2F0A0C6.exe\""	2F0A0C6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\2F0A0C6.exe\""	2F0A0C6RQVUUQ.exe

Executes dropped EXE 5 IoCs

pid	Process
2852	2F0A0C6.exe
1208	2F0A0C6RQVUUQ.exe
2004	2F0A0C6RQVUUQ.exe
2352	2F0A0C6.exe
1608	2F0A0C6.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2F0A0C6.exe = "C:\\Windows\\2F0A0C6.exe"	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2F0A0C6.exe = "C:\\Windows\\2F0A0C6.exe"	2F0A0C6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2F0A0C6.exe = "C:\\Windows\\2F0A0C6.exe"	2F0A0C6RQVUUQ.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1972-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0008000000016ce8-7.dat	upx
behavioral1/files/0x0008000000016ce0-14.dat	upx
behavioral1/memory/2852-15-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2004-30-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1608-38-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1972-37-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2352-34-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1972-44-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1608-46-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2852-47-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1208-50-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2852-52-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1208-53-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2852-54-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1208-55-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2852-56-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2852-58-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1208-59-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2852-60-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1208-61-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2852-62-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1208-63-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2852-64-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1208-65-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1208-67-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2852-68-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1208-69-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2852-70-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1208-71-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2852-72-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1208-73-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2852-74-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2852-76-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2852-78-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1208-79-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\2F0A0C6.exe	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe
File opened for modification	C:\Windows\2F0A0C6RQVUUQ.exe	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2F0A0C6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2F0A0C6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2F0A0C6RQVUUQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2F0A0C6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2F0A0C6RQVUUQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe

Kills process with taskkill 42 IoCs

evasion

pid	Process
1008	TASKKILL.exe
2320	TASKKILL.exe
2768	TASKKILL.exe
2704	TASKKILL.exe
1864	TASKKILL.exe
2036	TASKKILL.exe
1032	TASKKILL.exe
1516	TASKKILL.exe
1560	TASKKILL.exe
2444	TASKKILL.exe
2292	TASKKILL.exe
600	TASKKILL.exe
2960	TASKKILL.exe
1804	TASKKILL.exe
272	TASKKILL.exe
2068	TASKKILL.exe
2240	TASKKILL.exe
1316	TASKKILL.exe
2924	TASKKILL.exe
2820	TASKKILL.exe
2308	TASKKILL.exe
908	TASKKILL.exe
1020	TASKKILL.exe
2128	TASKKILL.exe
2440	TASKKILL.exe
1716	TASKKILL.exe
2496	TASKKILL.exe
1092	TASKKILL.exe
544	TASKKILL.exe
1148	TASKKILL.exe
1396	TASKKILL.exe
2336	TASKKILL.exe
2500	TASKKILL.exe
2316	TASKKILL.exe
2732	TASKKILL.exe
3020	TASKKILL.exe
2556	TASKKILL.exe
1484	TASKKILL.exe
2552	TASKKILL.exe
2412	TASKKILL.exe
784	TASKKILL.exe
960	TASKKILL.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	TASKKILL.exe
Token: SeDebugPrivilege	1716	TASKKILL.exe
Token: SeDebugPrivilege	2820	TASKKILL.exe
Token: SeDebugPrivilege	2768	TASKKILL.exe
Token: SeDebugPrivilege	2128	TASKKILL.exe
Token: SeDebugPrivilege	2444	TASKKILL.exe
Token: SeDebugPrivilege	2292	TASKKILL.exe
Token: SeDebugPrivilege	2732	TASKKILL.exe
Token: SeDebugPrivilege	2500	TASKKILL.exe
Token: SeDebugPrivilege	2320	TASKKILL.exe
Token: SeDebugPrivilege	2960	TASKKILL.exe
Token: SeDebugPrivilege	2496	TASKKILL.exe
Token: SeDebugPrivilege	2240	TASKKILL.exe
Token: SeDebugPrivilege	2068	TASKKILL.exe
Token: SeDebugPrivilege	2316	TASKKILL.exe
Token: SeDebugPrivilege	1864	TASKKILL.exe
Token: SeDebugPrivilege	2556	TASKKILL.exe
Token: SeDebugPrivilege	2308	TASKKILL.exe
Token: SeDebugPrivilege	1316	TASKKILL.exe
Token: SeDebugPrivilege	1804	TASKKILL.exe
Token: SeDebugPrivilege	1008	TASKKILL.exe
Token: SeDebugPrivilege	600	TASKKILL.exe
Token: SeDebugPrivilege	2704	TASKKILL.exe
Token: SeDebugPrivilege	2924	TASKKILL.exe
Token: SeDebugPrivilege	2412	TASKKILL.exe
Token: SeDebugPrivilege	908	TASKKILL.exe
Token: SeDebugPrivilege	3020	TASKKILL.exe
Token: SeDebugPrivilege	1484	TASKKILL.exe
Token: SeDebugPrivilege	544	TASKKILL.exe
Token: SeDebugPrivilege	1020	TASKKILL.exe
Token: SeDebugPrivilege	272	TASKKILL.exe
Token: SeDebugPrivilege	1032	TASKKILL.exe
Token: SeDebugPrivilege	2552	TASKKILL.exe
Token: SeDebugPrivilege	960	TASKKILL.exe
Token: SeDebugPrivilege	784	TASKKILL.exe
Token: SeDebugPrivilege	1560	TASKKILL.exe
Token: SeDebugPrivilege	2036	TASKKILL.exe
Token: SeDebugPrivilege	2336	TASKKILL.exe
Token: SeDebugPrivilege	1396	TASKKILL.exe
Token: SeDebugPrivilege	1092	TASKKILL.exe
Token: SeDebugPrivilege	1516	TASKKILL.exe
Token: SeDebugPrivilege	1148	TASKKILL.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe
2852	2F0A0C6.exe
1208	2F0A0C6RQVUUQ.exe
2004	2F0A0C6RQVUUQ.exe
2352	2F0A0C6.exe
1608	2F0A0C6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2500	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2500	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2500	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2500	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2128	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2128	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2128	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2128	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2444	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	32
PID 1972 wrote to memory of 2444	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	32
PID 1972 wrote to memory of 2444	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	32
PID 1972 wrote to memory of 2444	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	32
PID 1972 wrote to memory of 2440	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	33
PID 1972 wrote to memory of 2440	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	33
PID 1972 wrote to memory of 2440	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	33
PID 1972 wrote to memory of 2440	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	33
PID 1972 wrote to memory of 2068	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2068	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2068	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2068	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	34
PID 1972 wrote to memory of 1716	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	36
PID 1972 wrote to memory of 1716	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	36
PID 1972 wrote to memory of 1716	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	36
PID 1972 wrote to memory of 1716	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	36
PID 1972 wrote to memory of 2320	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	38
PID 1972 wrote to memory of 2320	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	38
PID 1972 wrote to memory of 2320	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	38
PID 1972 wrote to memory of 2320	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	38
PID 1972 wrote to memory of 2292	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	41
PID 1972 wrote to memory of 2292	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	41
PID 1972 wrote to memory of 2292	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	41
PID 1972 wrote to memory of 2292	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	41
PID 1972 wrote to memory of 2496	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	42
PID 1972 wrote to memory of 2496	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	42
PID 1972 wrote to memory of 2496	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	42
PID 1972 wrote to memory of 2496	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	42
PID 1972 wrote to memory of 2316	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	43
PID 1972 wrote to memory of 2316	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	43
PID 1972 wrote to memory of 2316	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	43
PID 1972 wrote to memory of 2316	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	43
PID 1972 wrote to memory of 2768	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	44
PID 1972 wrote to memory of 2768	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	44
PID 1972 wrote to memory of 2768	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	44
PID 1972 wrote to memory of 2768	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	44
PID 1972 wrote to memory of 2732	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	45
PID 1972 wrote to memory of 2732	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	45
PID 1972 wrote to memory of 2732	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	45
PID 1972 wrote to memory of 2732	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	45
PID 1972 wrote to memory of 2556	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	46
PID 1972 wrote to memory of 2556	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	46
PID 1972 wrote to memory of 2556	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	46
PID 1972 wrote to memory of 2556	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	46
PID 1972 wrote to memory of 2820	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	47
PID 1972 wrote to memory of 2820	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	47
PID 1972 wrote to memory of 2820	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	47
PID 1972 wrote to memory of 2820	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	47
PID 1972 wrote to memory of 2852	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	51
PID 1972 wrote to memory of 2852	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	51
PID 1972 wrote to memory of 2852	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	51
PID 1972 wrote to memory of 2852	1972	058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe	51
PID 2852 wrote to memory of 2704	2852	2F0A0C6.exe	59
PID 2852 wrote to memory of 2704	2852	2F0A0C6.exe	59
PID 2852 wrote to memory of 2704	2852	2F0A0C6.exe	59
PID 2852 wrote to memory of 2704	2852	2F0A0C6.exe	59

C:\Users\Admin\AppData\Local\Temp\058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\058a83deb4b5ca454a576c5e84df09f0_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\2F0A0C6.exe
  C:\Windows\2F0A0C6.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM services.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:600
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2308
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM services.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2924
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:908
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Windows\2F0A0C6RQVUUQ.exe
    C:\Windows\2F0A0C6RQVUUQ.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1208
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1020
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1092
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1148
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:784
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2552
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:272
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1396
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2036
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:960
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1032
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1516
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:544
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1560
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2336
  - - C:\Windows\2F0A0C6RQVUUQ.exe
      C:\Windows\2F0A0C6RQVUUQ.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2004
  - - C:\Windows\2F0A0C6.exe
      C:\Windows\2F0A0C6.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2352
- - C:\Windows\2F0A0C6.exe
    C:\Windows\2F0A0C6.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\2F0A0C6.exe

Filesize
16KB

MD5
dd8458aedbbd4a0ef1cc0030fe232d87

SHA1
425ce52efeed2db6d81d39b7c56555597578ab48

SHA256
11dce98da4350436be3a2bd90d320839d418c832883dc81e9f421ba0a9c4919b

SHA512
acf84e6a83eaefeea5beda5c000b878e662052964f1a2ec1e755cc3e4cef3b1db4f46c58b3e5939e5428ab9aa8363e8bea1ffdd1fd7c9d6806419f61faf29f72

Download Submit
C:\Windows\2F0A0C6RQVUUQ.exe

Filesize
18KB

MD5
97da071cc37482752ced200a24d862e9

SHA1
bb2bdba5a59bffa96e73931dfec795268e1d6889

SHA256
cabf59444c31c0f2aacd4981cb16ac0383b6882ed8bbd19077012535d909c3d3

SHA512
2bcb72e36ce563f97ce1d5e76ff28efd71fbef82566d98b52b34769e8df0bb3e5c4a95f0800f53207889ecfcb8cbc3b5c77caadf76995230b0b8cc010d2a6c13

Download Submit
memory/1208-67-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1208-61-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1208-79-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1208-73-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1208-71-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1208-69-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1208-65-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1208-51-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/1208-63-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1208-35-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/1208-50-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1208-59-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1208-53-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1208-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1608-46-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1608-38-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1972-44-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1972-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1972-12-0x0000000000370000-0x000000000037F000-memory.dmp

Filesize
60KB

Download
memory/1972-37-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1972-13-0x0000000000370000-0x000000000037F000-memory.dmp

Filesize
60KB

Download
memory/2004-30-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2352-34-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2852-64-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2852-68-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2852-60-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2852-58-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2852-62-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2852-47-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2852-48-0x0000000000250000-0x000000000025F000-memory.dmp

Filesize
60KB

Download
memory/2852-49-0x0000000000250000-0x000000000025F000-memory.dmp

Filesize
60KB

Download
memory/2852-52-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2852-54-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2852-19-0x0000000000250000-0x000000000025F000-memory.dmp

Filesize
60KB

Download
memory/2852-70-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2852-20-0x0000000000250000-0x000000000025F000-memory.dmp

Filesize
60KB

Download
memory/2852-72-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2852-15-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2852-74-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2852-76-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2852-78-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2852-56-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads