019c76bbd591537896f097822b48ad22ca79d60cfc9c22accac9a496d924f3dd

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
Size

1.4MB
MD5

071d328df0b7f9a3443c4414d690f119
SHA1

ddf757a9ef222273686bf40f0d6b1ea9368b93e6
SHA256

019c76bbd591537896f097822b48ad22ca79d60cfc9c22accac9a496d924f3dd
SHA512

0dd51cc7812b13313287dafc08e24011462ce7e1fb4d6ea524e99b3687598b1b0a2d9eac2557474f1ad698cb6b35bd8892b1b08f99ff28ad13773e3d36f0d7c3
SSDEEP

24576:3r5I7RhsXlnXw4fy630b0NIHRhLbVSEymRF9meG/WkXUl:NI34XTO4NI7byM6v/5X

Score

8^/10

defense_evasion discovery evasion privilege_escalation

Malware Config

Signatures

Sets file to hidden 1 TTPs 7 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2912	attrib.exe
2212	attrib.exe
2380	attrib.exe
2772	attrib.exe
2812	attrib.exe
2620	attrib.exe
2644	attrib.exe

Deletes itself 1 IoCs

pid	Process
2672	cmd.exe

Executes dropped EXE 28 IoCs

pid	Process
2176	sql.exe
3028	sql.exe
2820	sql.exe
2792	sql.exe
1752	sql.exe
1084	sql.exe
2096	sql.exe
392	sql.exe
2264	sql.exe
1256	sql.exe
2872	sql.exe
904	sql.exe
520	sql.exe
1068	sql.exe
2008	sql.exe
1472	sql.exe
2324	basic.exe
2076	spool.exe
2024	whw.exe
1180	zhucefuwu.exe
2272	zhucefuwu.exe
2832	zhucefuwu.exe
2748	zhucefuwu.exe
2816	zhucefuwu.exe
2148	whw.exe
2992	zhucefuwu.exe
3048	sql.exe
2152	sql.exe

Loads dropped DLL 64 IoCs

pid	Process
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
3028	sql.exe
3028	sql.exe
3028	sql.exe
2176	sql.exe
2176	sql.exe
2176	sql.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2820	sql.exe
2820	sql.exe
2820	sql.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
1084	sql.exe
1084	sql.exe
1084	sql.exe
2792	sql.exe
2792	sql.exe
2792	sql.exe
1752	sql.exe
1752	sql.exe
1752	sql.exe
392	sql.exe
392	sql.exe
392	sql.exe
2096	sql.exe
2096	sql.exe
2096	sql.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2264	sql.exe
2264	sql.exe
2264	sql.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2872	sql.exe
2872	sql.exe
2872	sql.exe
520	sql.exe
520	sql.exe

Drops file in System32 directory 52 IoCs

description	ioc	Process
File created	C:\Windows\System32\spool\Language\ChineseGB.ini	basic.exe
File opened for modification	C:\Windows\System32\spool\Language\English.chm	basic.exe
File created	C:\Windows\System32\spool\Language\English.ini	basic.exe
File opened for modification	C:\Windows\System32\spool\Language\English.ini	basic.exe
File created	C:\Windows\System32\spool\web\accheader.htm	basic.exe
File opened for modification	C:\Windows\System32\spool\web\index.html	basic.exe
File created	C:\Windows\System32\spool\CCProxy.ini	basic.exe
File opened for modification	C:\Windows\System32\spool\CCProxy.ini	basic.exe
File opened for modification	C:\Windows\System32\spool\spool.exe	basic.exe
File opened for modification	C:\Windows\SysWOW64\wins\svchost.exe	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\spool\Language\ChineseGB.chm	basic.exe
File created	C:\Windows\System32\spool\Language\English.chm	basic.exe
File opened for modification	C:\Windows\System32\spool\web\accheader.htm	basic.exe
File created	C:\Windows\System32\spool\web\account.htm	basic.exe
File created	C:\Windows\System32\spool\web\list.htm	basic.exe
File opened for modification	C:\Windows\System32\spool\web\log.htm	basic.exe
File created	C:\Windows\System32\spool\spool.exe	basic.exe
File created	C:\Windows\System32\spool\zhucefuwu.exe	basic.exe
File created	C:\Windows\System32\spool\uuid.dll	basic.exe
File created	C:\Windows\System32\spool\svchost.exe	basic.exe
File created	C:\Windows\SysWOW64\dllcache\basic.exe	cmd.exe
File opened for modification	C:\Windows\System32\spool\web\list.htm	basic.exe
File created	C:\Windows\System32\spool\install.bat	basic.exe
File created	C:\Windows\System32\spool\Language\ChineseGB.chm	basic.exe
File opened for modification	C:\Windows\System32\spool\web	basic.exe
File created	C:\Windows\System32\spool\web\settings.htm	basic.exe
File opened for modification	C:\Windows\System32\spool\web\settings.htm	basic.exe
File opened for modification	C:\Windows\System32\spool\CDial.dll	basic.exe
File opened for modification	C:\Windows\System32\spool\zhucefuwu.exe	basic.exe
File opened for modification	C:\Windows\System32\spool\uuid.dll	basic.exe
File opened for modification	C:\Windows\SysWOW64\wins\delphi.exe	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\spool\basic.exe	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\spool\AccInfo.ini	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
File created	C:\Windows\System32\spool\web\accadd.htm	basic.exe
File opened for modification	C:\Windows\System32\spool\web\accadd.htm	basic.exe
File opened for modification	C:\Windows\System32\spool\web\acclist.htm	basic.exe
File created	C:\Windows\System32\spool\web\log.htm	basic.exe
File opened for modification	C:\Windows\System32\spool\AccInfo.ini	basic.exe
File created	C:\Windows\System32\spool\CDial.dll	basic.exe
File opened for modification	C:\Windows\system32\spool\svchost.exe	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
File created	C:\Windows\System32\spool\web\acclist.htm	basic.exe
File created	C:\Windows\System32\spool\AccInfo.ini	basic.exe
File created	C:\Windows\System32\spool\__tmp_rar_sfx_access_check_259496945	basic.exe
File opened for modification	C:\Windows\System32\spool\Language	basic.exe
File created	C:\Windows\System32\spool\web\index.html	basic.exe
File created	C:\Windows\System32\spool\whw.exe	basic.exe
File created	C:\Windows\system32\spool\delmy.bat	spool.exe
File opened for modification	C:\Windows\System32\spool\Language\ChineseGB.ini	basic.exe
File opened for modification	C:\Windows\System32\spool\web\account.htm	basic.exe
File opened for modification	C:\Windows\System32\spool\install.bat	basic.exe
File opened for modification	C:\Windows\System32\spool\whw.exe	basic.exe
File opened for modification	C:\Windows\System32\spool\svchost.exe	basic.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
2264	sql.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zhucefuwu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zhucefuwu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zhucefuwu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zhucefuwu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zhucefuwu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	basic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zhucefuwu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spool.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 16 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2176	PING.EXE
2896	PING.EXE
2964	PING.EXE
1608	PING.EXE
2760	PING.EXE
2824	PING.EXE
2296	PING.EXE
2924	PING.EXE
2820	PING.EXE
2428	PING.EXE
2908	PING.EXE
2756	PING.EXE
1876	PING.EXE
2356	PING.EXE
684	PING.EXE
2880	PING.EXE

Runs ping.exe 1 TTPs 16 IoCs

Remote System Discovery

T1018

pid	Process
1608	PING.EXE
2756	PING.EXE
2824	PING.EXE
2924	PING.EXE
1876	PING.EXE
2820	PING.EXE
2964	PING.EXE
2296	PING.EXE
2176	PING.EXE
2896	PING.EXE
2356	PING.EXE
684	PING.EXE
2880	PING.EXE
2760	PING.EXE
2908	PING.EXE
2428	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
2076	spool.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2176	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	30
PID 2932 wrote to memory of 2176	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	30
PID 2932 wrote to memory of 2176	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	30
PID 2932 wrote to memory of 2176	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	30
PID 2932 wrote to memory of 2176	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	30
PID 2932 wrote to memory of 2176	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	30
PID 2932 wrote to memory of 2176	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	30
PID 2932 wrote to memory of 2820	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	31
PID 2932 wrote to memory of 2820	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	31
PID 2932 wrote to memory of 2820	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	31
PID 2932 wrote to memory of 2820	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	31
PID 2932 wrote to memory of 2820	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	31
PID 2932 wrote to memory of 2820	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	31
PID 2932 wrote to memory of 2820	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	31
PID 2932 wrote to memory of 3028	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	32
PID 2932 wrote to memory of 3028	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	32
PID 2932 wrote to memory of 3028	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	32
PID 2932 wrote to memory of 3028	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	32
PID 2932 wrote to memory of 3028	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	32
PID 2932 wrote to memory of 3028	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	32
PID 2932 wrote to memory of 3028	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	32
PID 2932 wrote to memory of 1752	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	35
PID 2932 wrote to memory of 1752	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	35
PID 2932 wrote to memory of 1752	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	35
PID 2932 wrote to memory of 1752	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	35
PID 2932 wrote to memory of 1752	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	35
PID 2932 wrote to memory of 1752	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	35
PID 2932 wrote to memory of 1752	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	35
PID 2932 wrote to memory of 2792	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	36
PID 2932 wrote to memory of 2792	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	36
PID 2932 wrote to memory of 2792	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	36
PID 2932 wrote to memory of 2792	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	36
PID 2932 wrote to memory of 2792	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	36
PID 2932 wrote to memory of 2792	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	36
PID 2932 wrote to memory of 2792	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	36
PID 2932 wrote to memory of 1084	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	37
PID 2932 wrote to memory of 1084	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	37
PID 2932 wrote to memory of 1084	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	37
PID 2932 wrote to memory of 1084	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	37
PID 2932 wrote to memory of 1084	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	37
PID 2932 wrote to memory of 1084	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	37
PID 2932 wrote to memory of 1084	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	37
PID 2932 wrote to memory of 2672	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	41
PID 2932 wrote to memory of 2672	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	41
PID 2932 wrote to memory of 2672	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	41
PID 2932 wrote to memory of 2672	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	41
PID 2932 wrote to memory of 2672	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	41
PID 2932 wrote to memory of 2672	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	41
PID 2932 wrote to memory of 2672	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	41
PID 2932 wrote to memory of 2096	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	43
PID 2932 wrote to memory of 2096	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	43
PID 2932 wrote to memory of 2096	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	43
PID 2932 wrote to memory of 2096	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	43
PID 2932 wrote to memory of 2096	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	43
PID 2932 wrote to memory of 2096	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	43
PID 2932 wrote to memory of 2096	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	43
PID 2932 wrote to memory of 392	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	45
PID 2932 wrote to memory of 392	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	45
PID 2932 wrote to memory of 392	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	45
PID 2932 wrote to memory of 392	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	45
PID 2932 wrote to memory of 392	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	45
PID 2932 wrote to memory of 392	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	45
PID 2932 wrote to memory of 392	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	45
PID 2932 wrote to memory of 2264	2932	071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe	48

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2772	attrib.exe
2812	attrib.exe
2620	attrib.exe
2644	attrib.exe
2912	attrib.exe
2212	attrib.exe
2380	attrib.exe

C:\Users\Admin\AppData\Local\Temp\071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\071d328df0b7f9a3443c4414d690f119_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\sql.exe
  sql stop RasAuto
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2176
- C:\Users\Admin\AppData\Local\Temp\sql.exe
  sql delete RasAuto
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\sql.exe
  sql stop LogicalDisk
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3028
- C:\Users\Admin\AppData\Local\Temp\sql.exe
  sql stop Microsoftbill
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1752
- C:\Users\Admin\AppData\Local\Temp\sql.exe
  sql stop CCproxy
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\sql.exe
  sql delete CCproxy
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c type %systemdrive%\\boot.ini>windows7.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\sql.exe
  sql stop vsmon
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\sql.exe
  sql delete vsmon
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:392
- C:\Users\Admin\AppData\Local\Temp\sql.exe
  sql stop RunAServces
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Access Token Manipulation: Create Process with Token
  - System Location Discovery: System Language Discovery
  PID:2264
- C:\Users\Admin\AppData\Local\Temp\sql.exe
  sql stop wmisrvs
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1256
- C:\Users\Admin\AppData\Local\Temp\sql.exe
  sql stop Bethserv
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:904
- C:\Users\Admin\AppData\Local\Temp\sql.exe
  sql stop taskmgr
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2872
- C:\Users\Admin\AppData\Local\Temp\sql.exe
  sql stop CCproxy
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:520
- C:\Users\Admin\AppData\Local\Temp\sql.exe
  sql stop svchost
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1068
- C:\Users\Admin\AppData\Local\Temp\sql.exe
  sql stop RasAuto
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1472
- C:\Users\Admin\AppData\Local\Temp\sql.exe
  sql delete RasAuto
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2008
- C:\Windows\System32\spool\basic.exe
  "C:\Windows\System32\spool\basic.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2324
- - C:\Windows\system32\spool\spool.exe
    "C:\Windows\system32\spool\spool.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2076
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\system32\spool\install.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:2488
    - - C:\Windows\system32\spool\whw.exe
        
        whw stop Microsoftbill
        5⤵
        Executes dropped EXE
        
        PID:2024
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 1 -w 500
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2356
    - - C:\Windows\system32\spool\zhucefuwu.exe
        
        zhucefuwu stop Microsoftbill
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1180
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 1 -w 500
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:684
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 1 -w 500
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2296
    - - C:\Windows\system32\spool\zhucefuwu.exe
        
        zhucefuwu create Microsoftbill binpath= "C:\Windows\system32\spool\svchost.exe -service" start= auto Displayname= "Windows Managements Instrumentation Driver"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2272
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 1 -w 500
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2880
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 1 -w 500
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1608
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h svchost.exe
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2380
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 1 -w 500
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2760
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h uuid.dll
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2772
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 1 -w 500
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2908
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h CCProxy.ini
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2812
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 1 -w 500
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2756
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h +r web
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2620
    - - C:\Windows\system32\spool\zhucefuwu.exe
        
        zhucefuwu config "Microsoftbill" DisplayName= "Windows Managements Instrumentation Driver"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2832
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 1 -w 500
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2824
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 1 -w 500
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2924
    - - C:\Windows\system32\spool\zhucefuwu.exe
        
        zhucefuwu description Microsoftbill "Component Object Model (COM +) components of the configuration and tracking. If you stop the service, most COM +-based components will not work correctly. If you disable the service, any explicit dependence on its service will not start."
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2748
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 1 -w 500
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2176
    - - C:\Windows\system32\spool\zhucefuwu.exe
        
        zhucefuwu start Microsoftbill
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2816
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 1 -w 500
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2896
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 1 -w 500
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1876
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h CDial.dll
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2644
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h +r Language
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2912
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h AccInfo.ini
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2212
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 1 -w 500
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2820
    - - C:\Windows\system32\spool\whw.exe
        
        whw start Microsoftbill
        5⤵
        Executes dropped EXE
        
        PID:2148
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 1 -w 500
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2964
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 1 -w 500
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2428
    - - C:\Windows\system32\spool\zhucefuwu.exe
        
        zhucefuwu start Microsoftbill
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2992
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Windows\system32\spool\delmy.bat""
      4⤵
      System Location Discovery: System Language Discovery
      PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\cache.bat
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3016
- C:\Users\Admin\AppData\Local\Temp\sql.exe
  sql start Microsoftbill
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3048
- C:\Users\Admin\AppData\Local\Temp\sql.exe
  sql start LogicalDisk
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\delme.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cache.bat

Filesize
259B

MD5
7e29a77962037d12bd040d408eb97330

SHA1
b5fa6c12464d1cd0bdf1a213caa34ace6d945649

SHA256
63cc3bacb165bcca1c404d4a17c632a41631c7db8b910f4653f78e5b5dafebb6

SHA512
1d2912dfc0533aea6262cadfab137faedb42d9f0c62ad3f3d28f4b47dec8141773ef901773876c5bd17b28280a2ba3160a0b3fd2f44d601ef6d3b3860cc88329

Download Submit
C:\Users\Admin\AppData\Local\Temp\delme.bat

Filesize
216B

MD5
5acf349bbb75925088e84f8ac9b37900

SHA1
5125f1189f7ae81ce50ec9198536e774800fcfff

SHA256
50196ba3c6870722bfa2f9cc0ccd0ff5d95cc095c45e0968a5bb01a40a9ef46d

SHA512
b582b6fc24464d6b6e6a07e8a6d0f7ae7d9efcde0c4da92431b310036bcb7e9d4e27e85eef520041de7f950093ee1ced11faa361f63e1d8a029825bb93f534ee

Download Submit
C:\Windows\System32\spool\basic.exe

Filesize
651KB

MD5
c137dea474cf1c6cfbdd87add7998795

SHA1
b327856ddcb5ac620d2b32e3db896e4ba4803609

SHA256
3b8b7cdd3fb09c2181b083d72fce3cf676799b5d86836129f84e17b486b1b590

SHA512
2ccbc9eddae43308ab7aa5c95eb2d11cb704fbef99d02fe87a5b10f4a7163521f85aa92f59f8a4ea10f3972bd5e2e0de383d94c9eca754b43e9bfbf865fa44b1

Download Submit
C:\Windows\System32\spool\delmy.bat

Filesize
118B

MD5
325ccf25f0921d8291c73d48dbb597bf

SHA1
d5aeb0b5bd7159961240e5d11121d7077195297e

SHA256
081b8b3647fa6b2a8bc1e3b069cd7d632ccfcd1a339093a91a80ccffbec7d26e

SHA512
dfa97b9803151d876dc2de4a5b4ee9faaa8f676081002a48456b68e2dd8ec57136ff729eb9dafb199c8e232d6e68aa84dae180f9e106a6ff61b19671a5be05c0

Download Submit
C:\Windows\System32\spool\spool.exe

Filesize
20KB

MD5
d81ef733012b5240e54f5faf7b1870b2

SHA1
b8c1b6c2a2165f9ee83b609c2e193a6693a9304a

SHA256
55c00320c2deb0a5cf2584187ab3e572a8db7b54ed383c04aa519d7cc0da6e53

SHA512
1f6526d393ac30a87e816c1f4153ff9309b2e691b22ed46d71979b88fab9165b9632dc57859a700a09de71181bb2f08275e3d76586f4102aaef827f3049c59f4

Download Submit
\Users\Admin\AppData\Local\Temp\sql.exe

Filesize
63KB

MD5
b1c28d7d40310928d7c399e841c371ac

SHA1
cfedb64bf3c2a943da009832307570322b559674

SHA256
478f5a83033fa76248eac4b1259cd01954e25ea7e2d53492ff966ff4bb75279c

SHA512
295758bd5f0fc4f7423e68a607f13537a7bfae7d6dfead5c367ab1fc61c50cda355199172203647ebfa41534c51d2b674e2322bd682f842ac63f34afceb00c56

Download Submit
memory/2324-152-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2932-84-0x0000000004080000-0x00000000050E2000-memory.dmp

Filesize
16.4MB

Download