Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 20:17
Static task
static1
Behavioral task
behavioral1
Sample
0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
12 signatures
150 seconds
General
-
Target
0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
0745b720c0330c64f6047024027b0fe7
-
SHA1
b10bed81a1245e84f34378307d24e0c38f28ee06
-
SHA256
742d365f0f9001602ee3c0734bcef4a44cde92fd29a69d48247b1ac60a30e726
-
SHA512
742e5831bbd41aa8ad0e8161cbdc41d8d4d994c01ff9358933d0f93f4f7fdbcedc24a779f4a5ced499bdc138e0f3b37edbc835fcd976bdfe06d17457a8b891de
-
SSDEEP
24576:foYx5sXo6cgL8/b2FAiU4DhEr/cJzz00F5JAn/KJd3AouffPD/gEOao3bzMUXuGH:forXVg/bU9URUZQuoivYPD/71orzMiNH
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 3608 regsvr32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{21608B66-026F-4DCB-9244-0DACA328DCED}\ = "PlaySushi" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{21608B66-026F-4DCB-9244-0DACA328DCED}\NoExplorer = "1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{21608B66-026F-4DCB-9244-0DACA328DCED} regsvr32.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\PlaySushi\psff.tmp 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe File created C:\Program Files (x86)\PlaySushi\PSText.dll 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe File created C:\Program Files (x86)\PlaySushi\psuninst.exe 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe File created C:\Program Files (x86)\PlaySushi\icon.ico 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{975BBCC0-19DF-47C2-9AE2-D78EEFA96821}\1.0\0\win32\ = "C:\\Program Files (x86)\\PlaySushi\\PSText.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F165085B-6B85-4AD5-AD00-95552A823F6D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5272CCD4-4199-4B04-BF68-B28A0DCF0151}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{E89A07B5-BD7A-43F9-BDA4-0DAA48AC4FA5}\ = "PlaySushi32" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PlaySushi32.PlaySushi\CLSID\ = "{21608B66-026F-4DCB-9244-0DACA328DCED}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{975BBCC0-19DF-47C2-9AE2-D78EEFA96821}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{E89A07B5-BD7A-43F9-BDA4-0DAA48AC4FA5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21608B66-026F-4DCB-9244-0DACA328DCED}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45A8F904-D9CA-439B-9CBB-11097B45D9E1}\ = "IIEButton" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PlaySushi32.PlaySushi\ = "PlaySushi" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21608B66-026F-4DCB-9244-0DACA328DCED}\ = "PlaySushi" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21608B66-026F-4DCB-9244-0DACA328DCED}\VersionIndependentProgID\ = "PlaySushi32.PlaySushi" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21608B66-026F-4DCB-9244-0DACA328DCED}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21608B66-026F-4DCB-9244-0DACA328DCED}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PSText.IEButton.1\CLSID\ = "{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{975BBCC0-19DF-47C2-9AE2-D78EEFA96821}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F165085B-6B85-4AD5-AD00-95552A823F6D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F165085B-6B85-4AD5-AD00-95552A823F6D}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21608B66-026F-4DCB-9244-0DACA328DCED}\InprocServer32\ = "C:\\Program Files (x86)\\PlaySushi\\PSText.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{975BBCC0-19DF-47C2-9AE2-D78EEFA96821}\1.0\ = "PlaySushi32 1.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{975BBCC0-19DF-47C2-9AE2-D78EEFA96821}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F165085B-6B85-4AD5-AD00-95552A823F6D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F165085B-6B85-4AD5-AD00-95552A823F6D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PSText.IEButton\ = "IEButton Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PSText.IEButton\CLSID\ = "{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PlaySushi32.PlaySushi\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5272CCD4-4199-4B04-BF68-B28A0DCF0151}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45A8F904-D9CA-439B-9CBB-11097B45D9E1}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45A8F904-D9CA-439B-9CBB-11097B45D9E1} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45A8F904-D9CA-439B-9CBB-11097B45D9E1}\ = "IIEButton" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45A8F904-D9CA-439B-9CBB-11097B45D9E1}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PlaySushi32.PlaySushi.1\CLSID\ = "{21608B66-026F-4DCB-9244-0DACA328DCED}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21608B66-026F-4DCB-9244-0DACA328DCED}\TypeLib\ = "{975BBCC0-19DF-47C2-9AE2-D78EEFA96821}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5272CCD4-4199-4B04-BF68-B28A0DCF0151} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PlaySushi32.PlaySushi.1\ = "PlaySushi" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PlaySushi32.PlaySushi\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F165085B-6B85-4AD5-AD00-95552A823F6D}\TypeLib\ = "{975BBCC0-19DF-47C2-9AE2-D78EEFA96821}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F165085B-6B85-4AD5-AD00-95552A823F6D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5272CCD4-4199-4B04-BF68-B28A0DCF0151}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PSText.IEButton.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}\ProgID\ = "PSText.IEButton.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}\InprocServer32\ = "C:\\Program Files (x86)\\PlaySushi\\PSText.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45A8F904-D9CA-439B-9CBB-11097B45D9E1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45A8F904-D9CA-439B-9CBB-11097B45D9E1}\TypeLib\ = "{975BBCC0-19DF-47C2-9AE2-D78EEFA96821}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45A8F904-D9CA-439B-9CBB-11097B45D9E1}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45A8F904-D9CA-439B-9CBB-11097B45D9E1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45A8F904-D9CA-439B-9CBB-11097B45D9E1}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{975BBCC0-19DF-47C2-9AE2-D78EEFA96821}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}\VersionIndependentProgID\ = "PSText.IEButton" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PlaySushi32.PlaySushi.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21608B66-026F-4DCB-9244-0DACA328DCED} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21608B66-026F-4DCB-9244-0DACA328DCED}\ProgID\ = "PlaySushi32.PlaySushi.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5272CCD4-4199-4B04-BF68-B28A0DCF0151}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5272CCD4-4199-4B04-BF68-B28A0DCF0151}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5272CCD4-4199-4B04-BF68-B28A0DCF0151} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45A8F904-D9CA-439B-9CBB-11097B45D9E1} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45A8F904-D9CA-439B-9CBB-11097B45D9E1}\TypeLib\ = "{975BBCC0-19DF-47C2-9AE2-D78EEFA96821}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45A8F904-D9CA-439B-9CBB-11097B45D9E1}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21608B66-026F-4DCB-9244-0DACA328DCED}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{975BBCC0-19DF-47C2-9AE2-D78EEFA96821}\1.0\0\win32 regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe Token: SeDebugPrivilege 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe Token: SeDebugPrivilege 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe Token: SeDebugPrivilege 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe Token: SeDebugPrivilege 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe Token: SeDebugPrivilege 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe Token: SeDebugPrivilege 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2464 wrote to memory of 1716 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 94 PID 2464 wrote to memory of 1716 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 94 PID 2464 wrote to memory of 1716 2464 0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe 94 PID 1716 wrote to memory of 3608 1716 cmd.exe 96 PID 1716 wrote to memory of 3608 1716 cmd.exe 96 PID 1716 wrote to memory of 3608 1716 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0745b720c0330c64f6047024027b0fe7_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\cmd.execmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\PlaySushi\PSText.dll"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\PlaySushi\PSText.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3608
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
338KB
MD55b423b4dcae4f711c0eff1ded431e29e
SHA1b86518fd4dcb4197fea1f46e72b8d031d82f0523
SHA2567aef51bfd9461e2770c96738808f22140db7f31e5b2c33fa7bdb72e3ebf53e02
SHA512c063058cbc7fb567092141b7d574ac34dfd7b343329935385c4eff990a988b587bbebd672e8eb52f8671044c222093d8db7ad22634209a111cfac20df8cf1fac