Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 09:29
Static task
static1
Behavioral task
behavioral1
Sample
0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe
-
Size
45KB
-
MD5
0a0032a860c7ae456b91400703be4a4c
-
SHA1
78b76d9fdfbbd43f70937a9025371d279593752e
-
SHA256
ef52a3d099bbf90addc13d1aec8fb29d27091192ed156f6510673a104336c707
-
SHA512
31a657e9e39f86ca37c22a7ad9ead0c218704d2720cbbc351a060cecff3893145cf4a9a1f929b2fcd791bb4d13b44438a4f82e323f4e60a69e76825c207f2f40
-
SSDEEP
768:E1AuwHyeFo6NPIFAoslbf8eRYLGXdoIFbb5omuKWcbsvwnoT9D88888888888JXf:EOxyeFo6NPCAosxYyXdF5oy3VoKf
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe -
Executes dropped EXE 12 IoCs
pid Process 2680 SVCHOST.EXE 2596 SVCHOST.EXE 1932 SVCHOST.EXE 1700 SVCHOST.EXE 2328 SVCHOST.EXE 1484 SPOOLSV.EXE 2144 SVCHOST.EXE 1864 SVCHOST.EXE 2152 SPOOLSV.EXE 2924 SPOOLSV.EXE 2616 SVCHOST.EXE 2880 SPOOLSV.EXE -
Loads dropped DLL 21 IoCs
pid Process 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2680 SVCHOST.EXE 2680 SVCHOST.EXE 2680 SVCHOST.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1484 SPOOLSV.EXE 1484 SPOOLSV.EXE 1484 SPOOLSV.EXE 1484 SPOOLSV.EXE 1484 SPOOLSV.EXE 2680 SVCHOST.EXE 2680 SVCHOST.EXE 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Recycled\desktop.ini 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe File opened for modification F:\Recycled\desktop.ini 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\Q: 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\W: 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\H: 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe File opened (read-only) \??\U: 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\M: 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\P: 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe File opened (read-only) \??\V: 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe File opened (read-only) \??\J: 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe File opened (read-only) \??\Z: 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\E: 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe File opened (read-only) \??\I: 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\M: SPOOLSV.EXE File opened (read-only) \??\U: SPOOLSV.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\R: SPOOLSV.EXE File opened (read-only) \??\S: SPOOLSV.EXE File opened (read-only) \??\K: 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe File opened (read-only) \??\T: 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\E: SPOOLSV.EXE File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\X: SPOOLSV.EXE File opened (read-only) \??\G: 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe File opened (read-only) \??\O: 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\I: SPOOLSV.EXE File opened (read-only) \??\K: SPOOLSV.EXE File opened (read-only) \??\S: 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\L: SPOOLSV.EXE File opened (read-only) \??\N: SPOOLSV.EXE File opened (read-only) \??\Q: SPOOLSV.EXE File opened (read-only) \??\N: 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\Z: SPOOLSV.EXE -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language userinit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" SPOOLSV.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG\COMMAND 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL\COMMAND 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" SPOOLSV.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2432 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1484 SPOOLSV.EXE 1484 SPOOLSV.EXE 1484 SPOOLSV.EXE 1484 SPOOLSV.EXE 1484 SPOOLSV.EXE 1484 SPOOLSV.EXE 1484 SPOOLSV.EXE 1484 SPOOLSV.EXE 1484 SPOOLSV.EXE 1484 SPOOLSV.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 2680 SVCHOST.EXE 2680 SVCHOST.EXE 2680 SVCHOST.EXE 2680 SVCHOST.EXE 2680 SVCHOST.EXE 2680 SVCHOST.EXE 2680 SVCHOST.EXE 2680 SVCHOST.EXE 2680 SVCHOST.EXE 2680 SVCHOST.EXE 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1932 SVCHOST.EXE 1484 SPOOLSV.EXE 1484 SPOOLSV.EXE 1484 SPOOLSV.EXE 1484 SPOOLSV.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 2680 SVCHOST.EXE 2596 SVCHOST.EXE 1932 SVCHOST.EXE 1700 SVCHOST.EXE 2328 SVCHOST.EXE 1484 SPOOLSV.EXE 2144 SVCHOST.EXE 1864 SVCHOST.EXE 2152 SPOOLSV.EXE 2924 SPOOLSV.EXE 2616 SVCHOST.EXE 2880 SPOOLSV.EXE 2432 WINWORD.EXE 2432 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2660 wrote to memory of 2680 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 30 PID 2660 wrote to memory of 2680 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 30 PID 2660 wrote to memory of 2680 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 30 PID 2660 wrote to memory of 2680 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 30 PID 2680 wrote to memory of 2596 2680 SVCHOST.EXE 31 PID 2680 wrote to memory of 2596 2680 SVCHOST.EXE 31 PID 2680 wrote to memory of 2596 2680 SVCHOST.EXE 31 PID 2680 wrote to memory of 2596 2680 SVCHOST.EXE 31 PID 2680 wrote to memory of 1932 2680 SVCHOST.EXE 32 PID 2680 wrote to memory of 1932 2680 SVCHOST.EXE 32 PID 2680 wrote to memory of 1932 2680 SVCHOST.EXE 32 PID 2680 wrote to memory of 1932 2680 SVCHOST.EXE 32 PID 1932 wrote to memory of 1700 1932 SVCHOST.EXE 33 PID 1932 wrote to memory of 1700 1932 SVCHOST.EXE 33 PID 1932 wrote to memory of 1700 1932 SVCHOST.EXE 33 PID 1932 wrote to memory of 1700 1932 SVCHOST.EXE 33 PID 1932 wrote to memory of 2328 1932 SVCHOST.EXE 34 PID 1932 wrote to memory of 2328 1932 SVCHOST.EXE 34 PID 1932 wrote to memory of 2328 1932 SVCHOST.EXE 34 PID 1932 wrote to memory of 2328 1932 SVCHOST.EXE 34 PID 1932 wrote to memory of 1484 1932 SVCHOST.EXE 35 PID 1932 wrote to memory of 1484 1932 SVCHOST.EXE 35 PID 1932 wrote to memory of 1484 1932 SVCHOST.EXE 35 PID 1932 wrote to memory of 1484 1932 SVCHOST.EXE 35 PID 1484 wrote to memory of 2144 1484 SPOOLSV.EXE 36 PID 1484 wrote to memory of 2144 1484 SPOOLSV.EXE 36 PID 1484 wrote to memory of 2144 1484 SPOOLSV.EXE 36 PID 1484 wrote to memory of 2144 1484 SPOOLSV.EXE 36 PID 1484 wrote to memory of 1864 1484 SPOOLSV.EXE 37 PID 1484 wrote to memory of 1864 1484 SPOOLSV.EXE 37 PID 1484 wrote to memory of 1864 1484 SPOOLSV.EXE 37 PID 1484 wrote to memory of 1864 1484 SPOOLSV.EXE 37 PID 1484 wrote to memory of 2152 1484 SPOOLSV.EXE 38 PID 1484 wrote to memory of 2152 1484 SPOOLSV.EXE 38 PID 1484 wrote to memory of 2152 1484 SPOOLSV.EXE 38 PID 1484 wrote to memory of 2152 1484 SPOOLSV.EXE 38 PID 2680 wrote to memory of 2924 2680 SVCHOST.EXE 39 PID 2680 wrote to memory of 2924 2680 SVCHOST.EXE 39 PID 2680 wrote to memory of 2924 2680 SVCHOST.EXE 39 PID 2680 wrote to memory of 2924 2680 SVCHOST.EXE 39 PID 2660 wrote to memory of 2616 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 41 PID 2660 wrote to memory of 2616 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 41 PID 2660 wrote to memory of 2616 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 41 PID 2660 wrote to memory of 2616 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 41 PID 2680 wrote to memory of 1684 2680 SVCHOST.EXE 40 PID 2680 wrote to memory of 1684 2680 SVCHOST.EXE 40 PID 2680 wrote to memory of 1684 2680 SVCHOST.EXE 40 PID 2680 wrote to memory of 1684 2680 SVCHOST.EXE 40 PID 2660 wrote to memory of 2880 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 42 PID 2660 wrote to memory of 2880 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 42 PID 2660 wrote to memory of 2880 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 42 PID 2660 wrote to memory of 2880 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 42 PID 2660 wrote to memory of 2432 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 43 PID 2660 wrote to memory of 2432 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 43 PID 2660 wrote to memory of 2432 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 43 PID 2660 wrote to memory of 2432 2660 0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe 43 PID 1684 wrote to memory of 2068 1684 userinit.exe 44 PID 1684 wrote to memory of 2068 1684 userinit.exe 44 PID 1684 wrote to memory of 2068 1684 userinit.exe 44 PID 1684 wrote to memory of 2068 1684 userinit.exe 44 PID 2432 wrote to memory of 716 2432 WINWORD.EXE 47 PID 2432 wrote to memory of 716 2432 WINWORD.EXE 47 PID 2432 wrote to memory of 716 2432 WINWORD.EXE 47 PID 2432 wrote to memory of 716 2432 WINWORD.EXE 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2596
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1700
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2328
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2144
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1864
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2152
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2924
-
-
C:\Windows\SysWOW64\userinit.exeC:\Windows\system32\userinit.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Explorer.exeExplorer.exe "C:\recycled\SVCHOST.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2068
-
-
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2616
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2880
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0a0032a860c7ae456b91400703be4a4c_JaffaCakes118.doc"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:716
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:1664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65B
MD5ad0b0b4416f06af436328a3c12dc491b
SHA1743c7ad130780de78ccbf75aa6f84298720ad3fa
SHA25623521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416
SHA512884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
2B
MD52b9d4fa85c8e82132bde46b143040142
SHA1a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA2564658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be
-
Filesize
45KB
MD5797817af831861c9df0fc0ff2b8ff654
SHA17b9d67c96c9f39a570a2dad57f70eedbdb7402cf
SHA256d39672eabfddf3d85104c0c9019ae371c15d52f5119e538b18f34322208b951e
SHA51222c81d387987128edf13a6dbd8f7635565876358d3425fa70556ad8a550d7dc6ae01a00c763ac63ac5c8013775bf49b561abb2fcbf0c10b485c9cfa13983a93b
-
Filesize
45KB
MD5cec74ba5135fb9d6ff544599b54c1aa9
SHA167e13df222d9a65c93cacdb04709af42a6016488
SHA2565140e2d139997e2ba6a2723bd01863efbee9f3d7a6eca23da63aed8d0d69c681
SHA5123cfc863ae1748cb15abe386a60af2ec82759b80bf2251ddd1343ce0637f353a60bb84ae6075c3e7d10591ee7a5a33eceae0ae396d225f834414b8c6a8721233a
-
Filesize
45KB
MD5d44b372acea7c3815ea501a494a53c03
SHA19609138b39a0abb4d2c873f39827722d1e0519b5
SHA256aba278b7d06bbc64213ee2d5806ee94abde38872766ad6cdab46a44d2e56c7f4
SHA51201b6c0ef461935194233d5a2b37a5dcff5fa849b2bb3b5f33218020266e78817741b5ae0c4357f0b9d90529812149b40427c087630404bfe2e43195b4c48ede4