e87a3ec4a623406eee7c077e267c50576780b415c07f8a62fbf8135b04e0fd60

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
Size

45KB
MD5

0c0b84c014377fcb7fd34e305cd7560b
SHA1

7440242af02ee3d7105661dad5ff9d69ca64ccb3
SHA256

e87a3ec4a623406eee7c077e267c50576780b415c07f8a62fbf8135b04e0fd60
SHA512

c83d421e9cff30638e1f988f00b556d57cd8213a4a2341ef1be0efddba058cf56b9f214902ce83ef724a6d9e3552012d1147c1ca6281aa219e9b55a75c114960
SSDEEP

768:E1AuwHyeFo6NPIFAoslbf8eRYLGXdoIFbb5omuKWcbsvwnoT9D88888888888JXo:EOxyeFo6NPCAosxYyXdF5oy3VoKo

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe

Executes dropped EXE 12 IoCs

pid	Process
1680	SVCHOST.EXE
2968	SVCHOST.EXE
1600	SVCHOST.EXE
2780	SVCHOST.EXE
2748	SVCHOST.EXE
2684	SPOOLSV.EXE
2416	SVCHOST.EXE
2592	SVCHOST.EXE
2564	SPOOLSV.EXE
1992	SPOOLSV.EXE
2184	SVCHOST.EXE
2456	SPOOLSV.EXE

Loads dropped DLL 18 IoCs

pid	Process
1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
2684	SPOOLSV.EXE
2684	SPOOLSV.EXE
2684	SPOOLSV.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Recycled\desktop.ini	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
File opened for modification	F:\Recycled\desktop.ini	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\H:	SPOOLSV.EXE
File opened (read-only)	\??\W:	SPOOLSV.EXE
File opened (read-only)	\??\M:	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\Z:	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\J:	SPOOLSV.EXE
File opened (read-only)	\??\W:	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
File opened (read-only)	\??\T:	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\G:	SPOOLSV.EXE
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\V:	SPOOLSV.EXE
File opened (read-only)	\??\P:	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
File opened (read-only)	\??\Y:	SVCHOST.EXE
File opened (read-only)	\??\T:	SPOOLSV.EXE
File opened (read-only)	\??\E:	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\O:	SPOOLSV.EXE
File opened (read-only)	\??\R:	SPOOLSV.EXE
File opened (read-only)	\??\X:	SPOOLSV.EXE
File opened (read-only)	\??\N:	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\L:	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
File opened (read-only)	\??\K:	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\I:	SPOOLSV.EXE
File opened (read-only)	\??\G:	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
File opened (read-only)	\??\J:	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\Y:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SPOOLSV.EXE
File opened (read-only)	\??\H:	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
File opened (read-only)	\??\Q:	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\O:	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\H:	SVCHOST.EXE
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\K:	SPOOLSV.EXE
File opened (read-only)	\??\Q:	SPOOLSV.EXE
File opened (read-only)	\??\V:	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\E:	SPOOLSV.EXE
File opened (read-only)	\??\L:	SPOOLSV.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Explorer.exe

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SPOOLSV.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG\COMMAND	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL\COMMAND	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SPOOLSV.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1128	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2684	SPOOLSV.EXE
2684	SPOOLSV.EXE
2684	SPOOLSV.EXE
2684	SPOOLSV.EXE
2684	SPOOLSV.EXE
2684	SPOOLSV.EXE
2684	SPOOLSV.EXE
2684	SPOOLSV.EXE
2684	SPOOLSV.EXE
2684	SPOOLSV.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1600	SVCHOST.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
1680	SVCHOST.EXE
2684	SPOOLSV.EXE
2684	SPOOLSV.EXE
2684	SPOOLSV.EXE
2684	SPOOLSV.EXE
2684	SPOOLSV.EXE
2684	SPOOLSV.EXE
2684	SPOOLSV.EXE
2684	SPOOLSV.EXE
2684	SPOOLSV.EXE
2684	SPOOLSV.EXE
1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
1680	SVCHOST.EXE
2968	SVCHOST.EXE
1600	SVCHOST.EXE
2780	SVCHOST.EXE
2748	SVCHOST.EXE
2684	SPOOLSV.EXE
2416	SVCHOST.EXE
2592	SVCHOST.EXE
2564	SPOOLSV.EXE
1992	SPOOLSV.EXE
2184	SVCHOST.EXE
2456	SPOOLSV.EXE
1128	WINWORD.EXE
1128	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 1680	1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe	30
PID 1804 wrote to memory of 1680	1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe	30
PID 1804 wrote to memory of 1680	1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe	30
PID 1804 wrote to memory of 1680	1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe	30
PID 1680 wrote to memory of 2968	1680	SVCHOST.EXE	31
PID 1680 wrote to memory of 2968	1680	SVCHOST.EXE	31
PID 1680 wrote to memory of 2968	1680	SVCHOST.EXE	31
PID 1680 wrote to memory of 2968	1680	SVCHOST.EXE	31
PID 1680 wrote to memory of 1600	1680	SVCHOST.EXE	32
PID 1680 wrote to memory of 1600	1680	SVCHOST.EXE	32
PID 1680 wrote to memory of 1600	1680	SVCHOST.EXE	32
PID 1680 wrote to memory of 1600	1680	SVCHOST.EXE	32
PID 1600 wrote to memory of 2780	1600	SVCHOST.EXE	33
PID 1600 wrote to memory of 2780	1600	SVCHOST.EXE	33
PID 1600 wrote to memory of 2780	1600	SVCHOST.EXE	33
PID 1600 wrote to memory of 2780	1600	SVCHOST.EXE	33
PID 1600 wrote to memory of 2748	1600	SVCHOST.EXE	34
PID 1600 wrote to memory of 2748	1600	SVCHOST.EXE	34
PID 1600 wrote to memory of 2748	1600	SVCHOST.EXE	34
PID 1600 wrote to memory of 2748	1600	SVCHOST.EXE	34
PID 1600 wrote to memory of 2684	1600	SVCHOST.EXE	35
PID 1600 wrote to memory of 2684	1600	SVCHOST.EXE	35
PID 1600 wrote to memory of 2684	1600	SVCHOST.EXE	35
PID 1600 wrote to memory of 2684	1600	SVCHOST.EXE	35
PID 2684 wrote to memory of 2416	2684	SPOOLSV.EXE	36
PID 2684 wrote to memory of 2416	2684	SPOOLSV.EXE	36
PID 2684 wrote to memory of 2416	2684	SPOOLSV.EXE	36
PID 2684 wrote to memory of 2416	2684	SPOOLSV.EXE	36
PID 2684 wrote to memory of 2592	2684	SPOOLSV.EXE	37
PID 2684 wrote to memory of 2592	2684	SPOOLSV.EXE	37
PID 2684 wrote to memory of 2592	2684	SPOOLSV.EXE	37
PID 2684 wrote to memory of 2592	2684	SPOOLSV.EXE	37
PID 2684 wrote to memory of 2564	2684	SPOOLSV.EXE	38
PID 2684 wrote to memory of 2564	2684	SPOOLSV.EXE	38
PID 2684 wrote to memory of 2564	2684	SPOOLSV.EXE	38
PID 2684 wrote to memory of 2564	2684	SPOOLSV.EXE	38
PID 1680 wrote to memory of 1992	1680	SVCHOST.EXE	39
PID 1680 wrote to memory of 1992	1680	SVCHOST.EXE	39
PID 1680 wrote to memory of 1992	1680	SVCHOST.EXE	39
PID 1680 wrote to memory of 1992	1680	SVCHOST.EXE	39
PID 1804 wrote to memory of 2184	1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe	40
PID 1804 wrote to memory of 2184	1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe	40
PID 1804 wrote to memory of 2184	1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe	40
PID 1804 wrote to memory of 2184	1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe	40
PID 1680 wrote to memory of 2532	1680	SVCHOST.EXE	41
PID 1680 wrote to memory of 2532	1680	SVCHOST.EXE	41
PID 1680 wrote to memory of 2532	1680	SVCHOST.EXE	41
PID 1680 wrote to memory of 2532	1680	SVCHOST.EXE	41
PID 1804 wrote to memory of 2456	1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe	42
PID 1804 wrote to memory of 2456	1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe	42
PID 1804 wrote to memory of 2456	1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe	42
PID 1804 wrote to memory of 2456	1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe	42
PID 2532 wrote to memory of 2892	2532	userinit.exe	43
PID 2532 wrote to memory of 2892	2532	userinit.exe	43
PID 2532 wrote to memory of 2892	2532	userinit.exe	43
PID 2532 wrote to memory of 2892	2532	userinit.exe	43
PID 1804 wrote to memory of 1128	1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe	45
PID 1804 wrote to memory of 1128	1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe	45
PID 1804 wrote to memory of 1128	1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe	45
PID 1804 wrote to memory of 1128	1804	0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe	45
PID 1128 wrote to memory of 2372	1128	WINWORD.EXE	48
PID 1128 wrote to memory of 2372	1128	WINWORD.EXE	48
PID 1128 wrote to memory of 2372	1128	WINWORD.EXE	48
PID 1128 wrote to memory of 2372	1128	WINWORD.EXE	48

C:\Users\Admin\AppData\Local\Temp\0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804
- C:\recycled\SVCHOST.EXE
  C:\recycled\SVCHOST.EXE :agent
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\recycled\SVCHOST.EXE
    C:\recycled\SVCHOST.EXE :agent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2968
- - F:\recycled\SVCHOST.EXE
    F:\recycled\SVCHOST.EXE :agent
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2780
  - - F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2748
  - - C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\recycled\SVCHOST.EXE
        
        C:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2416
    - - F:\recycled\SVCHOST.EXE
        
        F:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2592
    - - C:\recycled\SPOOLSV.EXE
        
        C:\recycled\SPOOLSV.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2564
- - C:\recycled\SPOOLSV.EXE
    C:\recycled\SPOOLSV.EXE :agent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1992
- - C:\Windows\SysWOW64\userinit.exe
    C:\Windows\system32\userinit.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\SysWOW64\Explorer.exe
      Explorer.exe "C:\recycled\SVCHOST.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2892
- F:\recycled\SVCHOST.EXE
  F:\recycled\SVCHOST.EXE :agent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2184
- C:\recycled\SPOOLSV.EXE
  C:\recycled\SPOOLSV.EXE :agent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2456
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0c0b84c014377fcb7fd34e305cd7560b_JaffaCakes118.doc"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2372

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recycled\desktop.ini

Filesize
65B

MD5
ad0b0b4416f06af436328a3c12dc491b

SHA1
743c7ad130780de78ccbf75aa6f84298720ad3fa

SHA256
23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

SHA512
884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
1KB

MD5
0269b6347e473980c5378044ac67aa1f

SHA1
c3334de50e320ad8bce8398acff95c363d039245

SHA256
68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

SHA512
e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

Download Submit
C:\begolu.txt

Filesize
2B

MD5
2b9d4fa85c8e82132bde46b143040142

SHA1
a02431cf7c501a5b368c91e41283419d8fa9fb03

SHA256
4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

SHA512
c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

Download Submit
C:\recycled\SPOOLSV.EXE

Filesize
45KB

MD5
53af4e3f022655ab8a824cb8f95753ac

SHA1
75a5cb0099d50a4292493999a16d87f3521c476a

SHA256
18c286a1fb1a4b577862a645fbfc798c7a0625b2b3c12956c21ccff0545ba320

SHA512
491fd57a18f56dc73072f22cd5c2008b141f5d3364b4079b6ec25543b86a26055d0acaac668070618824383fc8c3a015b1bc52d3bd43e4b44d90dc7727f0cf54

Download Submit
F:\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
254a52358312eb90019f58f9bf279bd2

SHA1
159bec5da55efb0c61c24e71e88588809574240b

SHA256
9af61b1927063b34a72a29a44ff025deaf41a1f1d94e357a9248a6025d984bbd

SHA512
9ac30872f1abc2a64b8d1f0536fc23ec463e5f723eb749bcf3c700905bf5b00bd6aee7cf093ea0c7bf645f0ef61f6a1e2a140843c772324615c4bd8b228ac2a2

Download Submit
\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
f190ea62b84683f1414687a1ba9871a8

SHA1
bf449e3ec48b2c898f4f6f0508de0681fe09228b

SHA256
c3c324573c315968ce2ebf1dbacf15e5e1065963cb3612ec689e87207e4ace93

SHA512
231274e8d7a7155cedf14fcaa7c6d8bf582c6c9e047959a82c9b636d977c57bf585533432c91eba42ca4a9ba3f36d445f152076402ad0f2cd87886439b32c607

Download Submit
memory/1128-106-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1600-176-0x0000000000350000-0x000000000036A000-memory.dmp

Filesize
104KB

Download
memory/1600-167-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1600-46-0x0000000000350000-0x000000000036A000-memory.dmp

Filesize
104KB

Download
memory/1600-59-0x0000000000350000-0x000000000036A000-memory.dmp

Filesize
104KB

Download
memory/1600-52-0x0000000000350000-0x000000000036A000-memory.dmp

Filesize
104KB

Download
memory/1680-186-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download
memory/1680-166-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1680-37-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download
memory/1680-24-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1804-104-0x00000000041C0000-0x00000000041CC000-memory.dmp

Filesize
48KB

Download
memory/1804-97-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1804-22-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1804-21-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1804-105-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1804-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1992-90-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2184-98-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2416-69-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2416-74-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2456-102-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2564-84-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2592-80-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2684-68-0x0000000002420000-0x000000000243A000-memory.dmp

Filesize
104KB

Download
memory/2684-79-0x0000000002BC0000-0x0000000002BDA000-memory.dmp

Filesize
104KB

Download
memory/2684-177-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2684-178-0x0000000002420000-0x000000000243A000-memory.dmp

Filesize
104KB

Download
memory/2684-182-0x0000000002BC0000-0x0000000002BDA000-memory.dmp

Filesize
104KB

Download
memory/2684-73-0x0000000002BC0000-0x0000000002BDA000-memory.dmp

Filesize
104KB

Download
memory/2748-56-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2780-51-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2968-34-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download