e86488daf656ce870dd9ff47ab5800ad09eda0438d3c988fad206fe8921659a2

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe
Size

181KB
MD5

111096d014f5f7ede72dd9f7e007a440
SHA1

4082f16dd3f6700bc33e207cd3554d59768209ce
SHA256

e86488daf656ce870dd9ff47ab5800ad09eda0438d3c988fad206fe8921659a2
SHA512

5a958ed981de0df31ce4f29a83d116e7f552adbb226f51e0a159e41dcba2b0f7d4d6e0209e811ae41e3ebb4be1843df00620323aecdb5b995cadcf9ebaa2b91b
SSDEEP

3072:avBZfKvWfL8Nm+7Dnl90MCmidt3yrR+B0btOg9DNzN0zgi5D525ioMvVflSRsJI+:mfKOTU7Dv0MV4tNBu7Dv0zrDqiVflSRU

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4628	urdvxc.exe

Executes dropped EXE 4 IoCs

pid	Process
4800	urdvxc.exe
4768	urdvxc.exe
3024	urdvxc.exe
4628	urdvxc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\urdvxc.exe	111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\urdvxc.exe	111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\urdvxc.exe	urdvxc.exe

Drops file in Program Files directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\revhnlhn.exe	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\hcjzqenb.exe	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	urdvxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\chllsvtv.exe	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.HTM	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\rvhrjtnt.exe	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html	urdvxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\vbthsrel.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\Welcome.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\bkbbtzlb.exe	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlbvwvhv.exe	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\nxqsxhql.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\README.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\hrbhlxhb.exe	urdvxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\Welcome.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\tsbknceh.exe	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\index.html	urdvxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\msapp-error.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\kznjrtew.exe	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html	urdvxc.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	urdvxc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BFAF607-9DDA-565E-A528-64082B45FA4C}\LocalServer32\ = "C:\\Program Files\\VideoLAN\\VLC\\lua\\http\\kznjrtew.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8308FF82-554C-D53A-FE36-8DDED83673EF}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71C0B885-A895-A996-0100-43C13A5EFD0A}\ = "wbjljebjkzwslzht"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7A1F8B4D-AC79-4B22-67EA-E30560A5BF1C}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7A1F8B4D-AC79-4B22-67EA-E30560A5BF1C}\LocalServer32\ = "C:\\Program Files\\VideoLAN\\VLC\\lua\\http\\bkbbtzlb.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BFAF607-9DDA-565E-A528-64082B45FA4C}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62B77361-C052-178D-5313-7AF2D2475E12}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "cbssbbkkhqqtnkrk"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7A1F8B4D-AC79-4B22-67EA-E30560A5BF1C}\ = "envtsejebkjbxvtj"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DA7BCA8-2512-8FCE-67B5-F36442F4E210}\LocalServer32\ = "C:\\Program Files\\VideoLAN\\VLC\\lua\\http\\vlbvwvhv.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D72C442F-6EA9-BFAF-2703-0F262F8765FD}\ = "bqbljhecsqjwhehq"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D72C442F-6EA9-BFAF-2703-0F262F8765FD}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71C0B885-A895-A996-0100-43C13A5EFD0A}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71C0B885-A895-A996-0100-43C13A5EFD0A}\LocalServer32\ = "C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\\vbthsrel.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D72C442F-6EA9-BFAF-2703-0F262F8765FD}\LocalServer32\ = "C:\\Program Files\\Java\\jdk-1.8\\chllsvtv.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62B77361-C052-178D-5313-7AF2D2475E12}\ = "llzsceveellhjrjh"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62B77361-C052-178D-5313-7AF2D2475E12}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8308FF82-554C-D53A-FE36-8DDED83673EF}\LocalServer32\ = "C:\\Program Files\\VideoLAN\\VLC\\lua\\http\\hrbhlxhb.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC84F518-2B78-BCFB-E876-EDAE640549C3}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\ = "xjsrekwkjwbeetzr"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\root\\Office16\\PersonaSpy\\tsbknceh.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C10CC38-A71C-D88E-C4DE-3BD6097805E4}\ = "heezkbknbjrksens"	111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC84F518-2B78-BCFB-E876-EDAE640549C3}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\root\\vfs\\ProgramFilesCommonX64\\Microsoft Shared\\Smart Tag\\1033\\rvhrjtnt.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BFAF607-9DDA-565E-A528-64082B45FA4C}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA7E191-3518-8C5E-DAD0-E316016B7509}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "bqlzrlxnbbnlzqvl"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\ = "nejbrnreetjtkbvh"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DA7BCA8-2512-8FCE-67B5-F36442F4E210}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C10CC38-A71C-D88E-C4DE-3BD6097805E4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe"	111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC84F518-2B78-BCFB-E876-EDAE640549C3}\LocalServer32\ = "C:\\Program Files\\Java\\jre-1.8\\hcjzqenb.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA7E191-3518-8C5E-DAD0-E316016B7509}\ = "wtnbnehkctbwjsnn"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA7E191-3518-8C5E-DAD0-E316016B7509}\LocalServer32\ = "C:\\Program Files\\Java\\jdk-1.8\\jre\\revhnlhn.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DA7BCA8-2512-8FCE-67B5-F36442F4E210}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "sjlkjtrhcsecztcv"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8308FF82-554C-D53A-FE36-8DDED83673EF}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C10CC38-A71C-D88E-C4DE-3BD6097805E4}	111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D72C442F-6EA9-BFAF-2703-0F262F8765FD}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8308FF82-554C-D53A-FE36-8DDED83673EF}\ = "hrsjtknrhrkxtsrz"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C10CC38-A71C-D88E-C4DE-3BD6097805E4}\LocalServer32	111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "etlrbwxjlvxecrhz"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7A1F8B4D-AC79-4B22-67EA-E30560A5BF1C}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62B77361-C052-178D-5313-7AF2D2475E12}\LocalServer32\ = "C:\\Program Files\\VideoLAN\\VLC\\lua\\http\\nxqsxhql.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71C0B885-A895-A996-0100-43C13A5EFD0A}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BFAF607-9DDA-565E-A528-64082B45FA4C}\ = "slshcnjkrkhkcjll"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DA7BCA8-2512-8FCE-67B5-F36442F4E210}\ = "hkwzkhhsblqlctht"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA7E191-3518-8C5E-DAD0-E316016B7509}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC84F518-2B78-BCFB-E876-EDAE640549C3}\ = "klrxnsccbnjhqxqh"	urdvxc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	urdvxc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 4800	4580	111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe	82
PID 4580 wrote to memory of 4800	4580	111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe	82
PID 4580 wrote to memory of 4800	4580	111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe	82
PID 4580 wrote to memory of 4768	4580	111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe	83
PID 4580 wrote to memory of 4768	4580	111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe	83
PID 4580 wrote to memory of 4768	4580	111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe	83
PID 4580 wrote to memory of 4628	4580	111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe	85
PID 4580 wrote to memory of 4628	4580	111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe	85
PID 4580 wrote to memory of 4628	4580	111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /installservice
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:4800
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /start
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:4768
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /uninstallservice patch:C:\Users\Admin\AppData\Local\Temp\111096d014f5f7ede72dd9f7e007a440_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies registry class
  PID:4628

C:\Windows\SysWOW64\urdvxc.exe
"C:\Windows\SysWOW64\urdvxc.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\urdvxc.exe

Filesize
181KB

MD5
111096d014f5f7ede72dd9f7e007a440

SHA1
4082f16dd3f6700bc33e207cd3554d59768209ce

SHA256
e86488daf656ce870dd9ff47ab5800ad09eda0438d3c988fad206fe8921659a2

SHA512
5a958ed981de0df31ce4f29a83d116e7f552adbb226f51e0a159e41dcba2b0f7d4d6e0209e811ae41e3ebb4be1843df00620323aecdb5b995cadcf9ebaa2b91b

Download Submit
memory/3024-49-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-18-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-453-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-79-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-48-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-12-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-19-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-20-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-21-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-22-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-23-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-24-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-25-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-26-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-27-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-28-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-29-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-30-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-31-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-32-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-33-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-34-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-35-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-36-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-38-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-39-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-40-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-41-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-42-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-43-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-44-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-45-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-46-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-47-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-50-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-14-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-78-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-51-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-52-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-53-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-54-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-77-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-56-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-57-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-58-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-59-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-60-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-61-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-62-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-63-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-64-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-65-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-66-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-67-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-68-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-69-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-70-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-71-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-72-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-73-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-74-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-75-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/3024-76-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/4580-1-0x00000000001B0000-0x00000000001CF000-memory.dmp

Filesize
124KB

Download
memory/4580-104-0x00000000001B0000-0x00000000001CF000-memory.dmp

Filesize
124KB

Download
memory/4580-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4628-55-0x0000000000190000-0x00000000001AF000-memory.dmp

Filesize
124KB

Download
memory/4768-10-0x0000000000190000-0x00000000001AF000-memory.dmp

Filesize
124KB

Download
memory/4768-13-0x0000000000190000-0x00000000001AF000-memory.dmp

Filesize
124KB

Download
memory/4800-6-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/4800-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4800-8-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download