0a33e02c2cf35dc3d2a7404bebcc20080fe00876b92509464ba64302ae3d5239

Analysis

max time kernel
141s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 17:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe
Size

335KB
MD5

06bf28afb24066ddb543d633e4bc441b
SHA1

dca692fb1b0752a53c9c31bdea7c8e9e004e9d37
SHA256

0a33e02c2cf35dc3d2a7404bebcc20080fe00876b92509464ba64302ae3d5239
SHA512

a21df423a6c18cb1662eef28619886eff08d53c63ce180ca9313fbf9aa5a2adb632178035e530a26519877b5897fc32b07a13bbb5ef0d4bb522d0c77f67e40e9
SSDEEP

6144:DBj6B6kP/KRvA9HmNR92bIjLxPTYra385tnDzeO+SsZPqXhEWw3g/r3IDhIDsWCx:s6kPIA9mR9jXZkznXL+C7l/fIX6cgD0

Score

8^/10

discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\mchInjDrv\ImagePath = "\\??\\C:\\Windows\\TEMP\\mc2EB58.tmp"	Hacker.com.cn.exe

Deletes itself 1 IoCs

pid	Process
2844	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2696	Hacker.com.cn.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Hacker.com.cn.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe
File created	C:\Windows\GBRTRL.DAT	06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe
File created	C:\Windows\YVXQBB.DAT	06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe
File created	C:\Windows\KVIGGX.DAT	06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe
File created	C:\Windows\Hacker.com.cn.exe	06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hacker.com.cn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53015660-B044-4B07-BCDC-B159A29E69C3}\WpadDecision = "0"	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53015660-B044-4B07-BCDC-B159A29E69C3}	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53015660-B044-4B07-BCDC-B159A29E69C3}\WpadDecisionReason = "1"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-66-90-87-b0-fc	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53015660-B044-4B07-BCDC-B159A29E69C3}\WpadDecisionTime = 40dba62e2814db01	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-66-90-87-b0-fc\WpadDecisionTime = c02f06642814db01	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-66-90-87-b0-fc\WpadDetectedUrl	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-66-90-87-b0-fc\WpadDecision = "0"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53015660-B044-4B07-BCDC-B159A29E69C3}\72-66-90-87-b0-fc	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-66-90-87-b0-fc\WpadDecisionTime = 40dba62e2814db01	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53015660-B044-4B07-BCDC-B159A29E69C3}\WpadNetworkName = "Network 3"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-66-90-87-b0-fc\WpadDecisionReason = "1"	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53015660-B044-4B07-BCDC-B159A29E69C3}\WpadDecisionTime = c02f06642814db01	Hacker.com.cn.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2696	Hacker.com.cn.exe
2696	Hacker.com.cn.exe
2696	Hacker.com.cn.exe
2696	Hacker.com.cn.exe
2696	Hacker.com.cn.exe
2696	Hacker.com.cn.exe
2696	Hacker.com.cn.exe
2696	Hacker.com.cn.exe
2696	Hacker.com.cn.exe
2696	Hacker.com.cn.exe
2696	Hacker.com.cn.exe
2696	Hacker.com.cn.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2696	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe
Token: SeDebugPrivilege	2696	Hacker.com.cn.exe
Token: SeAssignPrimaryTokenPrivilege	2696	Hacker.com.cn.exe
Token: SeIncreaseQuotaPrivilege	2696	Hacker.com.cn.exe
Token: SeSecurityPrivilege	2696	Hacker.com.cn.exe
Token: SeTakeOwnershipPrivilege	2696	Hacker.com.cn.exe
Token: SeLoadDriverPrivilege	2696	Hacker.com.cn.exe
Token: SeSystemtimePrivilege	2696	Hacker.com.cn.exe
Token: SeShutdownPrivilege	2696	Hacker.com.cn.exe
Token: SeSystemEnvironmentPrivilege	2696	Hacker.com.cn.exe
Token: SeUndockPrivilege	2696	Hacker.com.cn.exe
Token: SeManageVolumePrivilege	2696	Hacker.com.cn.exe
Token: SeDebugPrivilege	2696	Hacker.com.cn.exe
Token: SeIncreaseQuotaPrivilege	2844	cmd.exe
Token: SeSecurityPrivilege	2844	cmd.exe
Token: SeTakeOwnershipPrivilege	2844	cmd.exe
Token: SeLoadDriverPrivilege	2844	cmd.exe
Token: SeSystemProfilePrivilege	2844	cmd.exe
Token: SeSystemtimePrivilege	2844	cmd.exe
Token: SeProfSingleProcessPrivilege	2844	cmd.exe
Token: SeIncBasePriorityPrivilege	2844	cmd.exe
Token: SeCreatePagefilePrivilege	2844	cmd.exe
Token: SeShutdownPrivilege	2844	cmd.exe
Token: SeDebugPrivilege	2844	cmd.exe
Token: SeSystemEnvironmentPrivilege	2844	cmd.exe
Token: SeRemoteShutdownPrivilege	2844	cmd.exe
Token: SeUndockPrivilege	2844	cmd.exe
Token: SeManageVolumePrivilege	2844	cmd.exe
Token: 33	2844	cmd.exe
Token: 34	2844	cmd.exe
Token: 35	2844	cmd.exe
Token: SeDebugPrivilege	2844	cmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2696	Hacker.com.cn.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2696	Hacker.com.cn.exe
2696	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2844	2636	06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe	33
PID 2636 wrote to memory of 2844	2636	06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe	33
PID 2636 wrote to memory of 2844	2636	06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe	33
PID 2636 wrote to memory of 2844	2636	06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe	33
PID 2636 wrote to memory of 2844	2636	06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe	33
PID 2636 wrote to memory of 2844	2636	06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe	33
PID 2636 wrote to memory of 2844	2636	06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe	33
PID 2696 wrote to memory of 2248	2696	Hacker.com.cn.exe	32
PID 2696 wrote to memory of 2248	2696	Hacker.com.cn.exe	32
PID 2696 wrote to memory of 2248	2696	Hacker.com.cn.exe	32
PID 2696 wrote to memory of 2248	2696	Hacker.com.cn.exe	32
PID 2696 wrote to memory of 256	2696	Hacker.com.cn.exe	1
PID 2696 wrote to memory of 256	2696	Hacker.com.cn.exe	1
PID 2696 wrote to memory of 332	2696	Hacker.com.cn.exe	2
PID 2696 wrote to memory of 332	2696	Hacker.com.cn.exe	2
PID 2696 wrote to memory of 380	2696	Hacker.com.cn.exe	3
PID 2696 wrote to memory of 380	2696	Hacker.com.cn.exe	3
PID 2696 wrote to memory of 388	2696	Hacker.com.cn.exe	4
PID 2696 wrote to memory of 388	2696	Hacker.com.cn.exe	4
PID 2696 wrote to memory of 388	2696	Hacker.com.cn.exe	4
PID 2696 wrote to memory of 428	2696	Hacker.com.cn.exe	5
PID 2696 wrote to memory of 428	2696	Hacker.com.cn.exe	5
PID 2696 wrote to memory of 428	2696	Hacker.com.cn.exe	5
PID 2696 wrote to memory of 472	2696	Hacker.com.cn.exe	6
PID 2696 wrote to memory of 472	2696	Hacker.com.cn.exe	6
PID 2696 wrote to memory of 488	2696	Hacker.com.cn.exe	7
PID 2696 wrote to memory of 488	2696	Hacker.com.cn.exe	7
PID 2696 wrote to memory of 496	2696	Hacker.com.cn.exe	8
PID 2696 wrote to memory of 496	2696	Hacker.com.cn.exe	8
PID 2696 wrote to memory of 588	2696	Hacker.com.cn.exe	9
PID 2696 wrote to memory of 588	2696	Hacker.com.cn.exe	9
PID 2696 wrote to memory of 668	2696	Hacker.com.cn.exe	10
PID 2696 wrote to memory of 668	2696	Hacker.com.cn.exe	10
PID 2696 wrote to memory of 740	2696	Hacker.com.cn.exe	11
PID 2696 wrote to memory of 740	2696	Hacker.com.cn.exe	11
PID 2696 wrote to memory of 804	2696	Hacker.com.cn.exe	12
PID 2696 wrote to memory of 804	2696	Hacker.com.cn.exe	12
PID 2696 wrote to memory of 844	2696	Hacker.com.cn.exe	13
PID 2696 wrote to memory of 844	2696	Hacker.com.cn.exe	13
PID 2696 wrote to memory of 960	2696	Hacker.com.cn.exe	15
PID 2696 wrote to memory of 960	2696	Hacker.com.cn.exe	15
PID 2696 wrote to memory of 284	2696	Hacker.com.cn.exe	16
PID 2696 wrote to memory of 284	2696	Hacker.com.cn.exe	16
PID 2696 wrote to memory of 1048	2696	Hacker.com.cn.exe	17
PID 2696 wrote to memory of 1048	2696	Hacker.com.cn.exe	17
PID 2696 wrote to memory of 1060	2696	Hacker.com.cn.exe	18
PID 2696 wrote to memory of 1060	2696	Hacker.com.cn.exe	18
PID 2696 wrote to memory of 1060	2696	Hacker.com.cn.exe	18
PID 2696 wrote to memory of 1108	2696	Hacker.com.cn.exe	19
PID 2696 wrote to memory of 1108	2696	Hacker.com.cn.exe	19
PID 2696 wrote to memory of 1108	2696	Hacker.com.cn.exe	19
PID 2696 wrote to memory of 1136	2696	Hacker.com.cn.exe	20
PID 2696 wrote to memory of 1136	2696	Hacker.com.cn.exe	20
PID 2696 wrote to memory of 1180	2696	Hacker.com.cn.exe	21
PID 2696 wrote to memory of 1180	2696	Hacker.com.cn.exe	21
PID 2696 wrote to memory of 1180	2696	Hacker.com.cn.exe	21
PID 2696 wrote to memory of 1940	2696	Hacker.com.cn.exe	23
PID 2696 wrote to memory of 1940	2696	Hacker.com.cn.exe	23
PID 2696 wrote to memory of 1940	2696	Hacker.com.cn.exe	23
PID 2696 wrote to memory of 2020	2696	Hacker.com.cn.exe	24
PID 2696 wrote to memory of 2020	2696	Hacker.com.cn.exe	24
PID 2696 wrote to memory of 1252	2696	Hacker.com.cn.exe	25
PID 2696 wrote to memory of 1252	2696	Hacker.com.cn.exe	25
PID 2696 wrote to memory of 2260	2696	Hacker.com.cn.exe	26

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:472
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:588
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1940
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1252
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:668
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:740
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:804
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1108
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:844
  - - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:1084
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:960
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:284
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1048
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1060
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1136
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:2020
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2260
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2220
- - C:\Windows\Hacker.com.cn.exe
    C:\Windows\Hacker.com.cn.exe
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      4⤵
      PID:2248
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:388
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "-42862926812316114111231416703971126701657286182-612432231248230709-1385492048"
  2⤵
  PID:2840

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1180
- C:\Users\Admin\AppData\Local\Temp\06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\GBRTRL.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
335KB

MD5
06bf28afb24066ddb543d633e4bc441b

SHA1
dca692fb1b0752a53c9c31bdea7c8e9e004e9d37

SHA256
0a33e02c2cf35dc3d2a7404bebcc20080fe00876b92509464ba64302ae3d5239

SHA512
a21df423a6c18cb1662eef28619886eff08d53c63ce180ca9313fbf9aa5a2adb632178035e530a26519877b5897fc32b07a13bbb5ef0d4bb522d0c77f67e40e9

Download Submit
C:\Windows\KVIGGX.DAT

Filesize
13KB

MD5
de0c533b3e727cfab6d5f5418c159423

SHA1
9bf855b87c43405ff7cba13541d5fe4656a59463

SHA256
bd3daf8b7f8de13aec1438e59d50b09af45eeab17cd0eed7424a4c9b3122150b

SHA512
c33da4186a46553f1c7621220826f091e204715e58c83bcc93cd3fe2116e974615d2a424cd3d073e8f066b3f9dcfff50fa8bca28b17bb968cb85ced899ae8405

Download Submit
C:\Windows\YVXQBB.DAT

Filesize
122KB

MD5
69c410f159553e56ab5a3d94784e26c9

SHA1
4106505d1666d99c923d94072e8ca80142027b66

SHA256
d431390b789478afba0e9b315b5159933cae6dfb5393f229b49d11286c981d0f

SHA512
8a572c34e010b7566cc8b2c38a8f2d5bfa9defbb10c5affba3847b88641a031fe936a156da3985e034be3b601fce66a6bc612f085c70656a782239f58b4ab994

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
075f7ddc1df7955a4cedd17fb34cbd4b

SHA1
178c2e53fc18a8bd56ac8612db8d512dbe1f464a

SHA256
fc40a901b8dd4ef3c9a45c4e3396382bd42359e58b992244776d5cc88098d56c

SHA512
fce912ea908f23817f7526d5d3e87b9856640dd7db29a3d9d4f6451d173e7ae881477dbc9f34e619b39928deb7764a5efd8f0d880ede9d5fb107983f91cead0c

Download Submit
memory/256-28-0x000000005F000000-0x000000005F001000-memory.dmp

Filesize
4KB

Download
memory/2636-2-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2636-20-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2636-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2636-3-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2636-0-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2696-10-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2696-22-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2696-25-0x0000000000690000-0x00000000006B4000-memory.dmp

Filesize
144KB

Download
memory/2696-103-0x000000005F000000-0x000000005F001000-memory.dmp

Filesize
4KB

Download
memory/2696-108-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2696-109-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2844-105-0x000000005F020000-0x000000005F021000-memory.dmp

Filesize
4KB

Download