Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-10-2024 17:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
30 signatures
150 seconds
General
-
Target
145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe
-
Size
608KB
-
MD5
145b2d57492686e1c4b6e4c748b762a1
-
SHA1
478ce27333abef93d976bc9003dc31357b1041cb
-
SHA256
8cda444ded1ae7ceee618c59b9535a732295091621828c1f7f07ca044eeea239
-
SHA512
ec02a818280356afb09fe8e9464fb644a9b0bd1a9e37ee2abf14a5002317564f24bb603ecffbfe03ac066aca0b083d77f67ff6cd03cdb4899bc1f8dc2806baa7
-
SSDEEP
12288:GBYDZJr1E+3JcdrXxE3Vq4Vcim38bJ6vKDn5gcPUbjC:GqF6+ydroLrJ6vKVgkUb
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 3nua.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" aUY5E15SY8.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kaanum.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 2380 cmd.exe -
Executes dropped EXE 12 IoCs
pid Process 2064 aUY5E15SY8.exe 1764 kaanum.exe 2756 2nua.exe 2788 2nua.exe 2792 2nua.exe 2688 2nua.exe 2564 2nua.exe 3064 2nua.exe 2608 3nua.exe 2984 3nua.exe 1128 3nua.exe 2524 7974.tmp -
Loads dropped DLL 10 IoCs
pid Process 1856 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe 1856 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe 2064 aUY5E15SY8.exe 2064 aUY5E15SY8.exe 1856 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe 1856 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe 1856 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe 1856 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe 2608 3nua.exe 2608 3nua.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /n" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /t" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /F" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /G" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /L" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /Q" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /A" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /W" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /S" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /C" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /J" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /y" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /D" kaanum.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\379.exe = "C:\\Program Files (x86)\\LP\\EC0B\\379.exe" 3nua.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /m" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /Z" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /d" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /a" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /j" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /U" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /Y" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /p" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /h" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /s" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /r" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /u" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /T" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /w" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /k" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /D" aUY5E15SY8.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /H" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /I" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /i" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /g" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /e" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /x" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /V" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /q" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /f" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /o" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /c" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /B" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /R" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /K" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /E" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /z" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /l" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /v" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /O" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /M" kaanum.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaanum = "C:\\Users\\Admin\\kaanum.exe /P" kaanum.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2nua.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2nua.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2nua.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2556 tasklist.exe 2900 tasklist.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2756 set thread context of 2788 2756 2nua.exe 37 PID 2756 set thread context of 2792 2756 2nua.exe 38 PID 2756 set thread context of 2688 2756 2nua.exe 39 PID 2756 set thread context of 2564 2756 2nua.exe 40 PID 2756 set thread context of 3064 2756 2nua.exe 41 -
resource yara_rule behavioral1/memory/2792-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2564-73-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2564-96-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2792-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2792-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2792-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3064-94-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2564-67-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2564-65-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/3064-87-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2564-86-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/3064-85-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/3064-83-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/3064-80-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/3064-78-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2564-75-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2792-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2792-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2792-107-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2608-111-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2984-124-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2608-128-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1128-285-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2608-289-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\LP\EC0B\7974.tmp 3nua.exe File opened for modification C:\Program Files (x86)\LP\EC0B\379.exe 3nua.exe File created C:\Program Files (x86)\LP\EC0B\379.exe 3nua.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aUY5E15SY8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7974.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kaanum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nua.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2064 aUY5E15SY8.exe 2064 aUY5E15SY8.exe 2688 2nua.exe 2792 2nua.exe 1764 kaanum.exe 1764 kaanum.exe 2792 2nua.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 2608 3nua.exe 2608 3nua.exe 2608 3nua.exe 2608 3nua.exe 2608 3nua.exe 2608 3nua.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 2608 3nua.exe 2608 3nua.exe 2608 3nua.exe 2608 3nua.exe 2608 3nua.exe 2608 3nua.exe 2608 3nua.exe 2608 3nua.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe 1764 kaanum.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2076 explorer.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2556 tasklist.exe Token: SeRestorePrivilege 2932 msiexec.exe Token: SeTakeOwnershipPrivilege 2932 msiexec.exe Token: SeSecurityPrivilege 2932 msiexec.exe Token: SeDebugPrivilege 2900 tasklist.exe Token: SeShutdownPrivilege 2076 explorer.exe Token: SeShutdownPrivilege 2076 explorer.exe Token: SeShutdownPrivilege 2076 explorer.exe Token: SeShutdownPrivilege 2076 explorer.exe Token: SeShutdownPrivilege 2076 explorer.exe Token: SeShutdownPrivilege 2076 explorer.exe Token: SeShutdownPrivilege 2076 explorer.exe Token: SeShutdownPrivilege 2076 explorer.exe Token: SeShutdownPrivilege 2076 explorer.exe Token: SeShutdownPrivilege 2076 explorer.exe Token: SeShutdownPrivilege 2076 explorer.exe Token: SeShutdownPrivilege 2076 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe 2076 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1856 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe 2064 aUY5E15SY8.exe 1764 kaanum.exe 2756 2nua.exe 3064 2nua.exe 2564 2nua.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1856 wrote to memory of 2064 1856 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe 30 PID 1856 wrote to memory of 2064 1856 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe 30 PID 1856 wrote to memory of 2064 1856 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe 30 PID 1856 wrote to memory of 2064 1856 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe 30 PID 2064 wrote to memory of 1764 2064 aUY5E15SY8.exe 32 PID 2064 wrote to memory of 1764 2064 aUY5E15SY8.exe 32 PID 2064 wrote to memory of 1764 2064 aUY5E15SY8.exe 32 PID 2064 wrote to memory of 1764 2064 aUY5E15SY8.exe 32 PID 2064 wrote to memory of 1608 2064 aUY5E15SY8.exe 33 PID 2064 wrote to memory of 1608 2064 aUY5E15SY8.exe 33 PID 2064 wrote to memory of 1608 2064 aUY5E15SY8.exe 33 PID 2064 wrote to memory of 1608 2064 aUY5E15SY8.exe 33 PID 1856 wrote to memory of 2756 1856 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe 35 PID 1856 wrote to memory of 2756 1856 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe 35 PID 1856 wrote to memory of 2756 1856 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe 35 PID 1856 wrote to memory of 2756 1856 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe 35 PID 1608 wrote to memory of 2556 1608 cmd.exe 36 PID 1608 wrote to memory of 2556 1608 cmd.exe 36 PID 1608 wrote to memory of 2556 1608 cmd.exe 36 PID 1608 wrote to memory of 2556 1608 cmd.exe 36 PID 2756 wrote to memory of 2788 2756 2nua.exe 37 PID 2756 wrote to memory of 2788 2756 2nua.exe 37 PID 2756 wrote to memory of 2788 2756 2nua.exe 37 PID 2756 wrote to memory of 2788 2756 2nua.exe 37 PID 2756 wrote to memory of 2788 2756 2nua.exe 37 PID 2756 wrote to memory of 2792 2756 2nua.exe 38 PID 2756 wrote to memory of 2792 2756 2nua.exe 38 PID 2756 wrote to memory of 2792 2756 2nua.exe 38 PID 2756 wrote to memory of 2792 2756 2nua.exe 38 PID 2756 wrote to memory of 2792 2756 2nua.exe 38 PID 2756 wrote to memory of 2792 2756 2nua.exe 38 PID 2756 wrote to memory of 2792 2756 2nua.exe 38 PID 2756 wrote to memory of 2792 2756 2nua.exe 38 PID 2756 wrote to memory of 2688 2756 2nua.exe 39 PID 2756 wrote to memory of 2688 2756 2nua.exe 39 PID 2756 wrote to memory of 2688 2756 2nua.exe 39 PID 2756 wrote to memory of 2688 2756 2nua.exe 39 PID 2756 wrote to memory of 2688 2756 2nua.exe 39 PID 2756 wrote to memory of 2688 2756 2nua.exe 39 PID 2756 wrote to memory of 2688 2756 2nua.exe 39 PID 2756 wrote to memory of 2688 2756 2nua.exe 39 PID 2756 wrote to memory of 2688 2756 2nua.exe 39 PID 2756 wrote to memory of 2688 2756 2nua.exe 39 PID 2756 wrote to memory of 2564 2756 2nua.exe 40 PID 2756 wrote to memory of 2564 2756 2nua.exe 40 PID 2756 wrote to memory of 2564 2756 2nua.exe 40 PID 2756 wrote to memory of 2564 2756 2nua.exe 40 PID 2756 wrote to memory of 2564 2756 2nua.exe 40 PID 2756 wrote to memory of 2564 2756 2nua.exe 40 PID 2756 wrote to memory of 2564 2756 2nua.exe 40 PID 2756 wrote to memory of 2564 2756 2nua.exe 40 PID 2756 wrote to memory of 3064 2756 2nua.exe 41 PID 2756 wrote to memory of 3064 2756 2nua.exe 41 PID 2756 wrote to memory of 3064 2756 2nua.exe 41 PID 2756 wrote to memory of 3064 2756 2nua.exe 41 PID 2756 wrote to memory of 3064 2756 2nua.exe 41 PID 2756 wrote to memory of 3064 2756 2nua.exe 41 PID 2756 wrote to memory of 3064 2756 2nua.exe 41 PID 2756 wrote to memory of 3064 2756 2nua.exe 41 PID 1856 wrote to memory of 2608 1856 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe 43 PID 1856 wrote to memory of 2608 1856 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe 43 PID 1856 wrote to memory of 2608 1856 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe 43 PID 1856 wrote to memory of 2608 1856 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe 43 PID 1856 wrote to memory of 2380 1856 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe 46 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 3nua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 3nua.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\aUY5E15SY8.exeC:\Users\Admin\aUY5E15SY8.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\kaanum.exe"C:\Users\Admin\kaanum.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1764
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del aUY5E15SY8.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
-
-
C:\Users\Admin\2nua.exeC:\Users\Admin\2nua.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\2nua.exe"C:\Users\Admin\2nua.exe"3⤵
- Executes dropped EXE
PID:2788
-
-
C:\Users\Admin\2nua.exe"C:\Users\Admin\2nua.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2792
-
-
C:\Users\Admin\2nua.exe"C:\Users\Admin\2nua.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2688
-
-
C:\Users\Admin\2nua.exe"C:\Users\Admin\2nua.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2564
-
-
C:\Users\Admin\2nua.exe"C:\Users\Admin\2nua.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3064
-
-
-
C:\Users\Admin\3nua.exeC:\Users\Admin\3nua.exe2⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2608 -
C:\Users\Admin\3nua.exeC:\Users\Admin\3nua.exe startC:\Users\Admin\AppData\Roaming\BB060\6B1EC.exe%C:\Users\Admin\AppData\Roaming\BB0603⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2984
-
-
C:\Users\Admin\3nua.exeC:\Users\Admin\3nua.exe startC:\Program Files (x86)\608BC\lvvm.exe%C:\Program Files (x86)\608BC3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1128
-
-
C:\Program Files (x86)\LP\EC0B\7974.tmp"C:\Program Files (x86)\LP\EC0B\7974.tmp"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2524
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 145b2d57492686e1c4b6e4c748b762a1_JaffaCakes118.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2076
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD529c0a1942c5efa556fcf06cdb27e6b43
SHA11f4897b7091c159f7402237f093dd66419ef801b
SHA2564f5a26e02022c8e480e3bba16fdbe3c9e19f95ccfded922fdb911403ef1ae0c4
SHA51254389f2ec50d6447f89b15268f4daa3b9a6a0f7c0609648754eaeb6bd6e159c800f1f29f759bd56f42ab6249b246a95081d1e0e9fdd43e56ff2104a7ce458168
-
Filesize
600B
MD5fef27d057557d3a877ec5da7cad126f4
SHA138fddda4f46e89f64545d4997dbcbda7a067d17a
SHA2569feaf3a3c18c6d34ccb1fef776ccd2a37d732ab4f1964097995cec9cd6fbb1fc
SHA512b9e449c8c243bab99225e051a732033ccecefecc73838b199a9a284d8adf60b02d803083886e2296140ae5ebc006ba5d452a8c855cd58ff8b386c6379e31ea70
-
Filesize
996B
MD51d944e3bb13618b18d1146ed68a3e95d
SHA1d2f83bae4a6fcc5364c59af30bf589205378d9fb
SHA2561fca40e34bc67a64dbe4924246fb088df6d15ee7a77cc9307813ea781392992f
SHA5124ac8ed9f54bb1d6176de43c04d7ced60a850fc0c1d093195c1e1a1961d8cafda1bb5e4bdf363afe989f0cbdfe39642cb61b12354bb19e81a7e418d26d3d7bec3
-
Filesize
1KB
MD5b0c49c75bd2ef2691551a1ff0c7634af
SHA17c8cf8eac56317c2cee026d7b3b23b38f66da486
SHA256a741a7073ebd1e3f626a9cb624e3405f4b56635031c2d843da0a730f8d7afde3
SHA512ecbde5e8b69e7597f5c2384b708f881ab5601a9ed55118653e704b1ad75ac99934a706fa7c72eff27482e971b2175e3b131a5d89e8cbd81327f1cec14dc60864
-
Filesize
224KB
MD5b64185be04a7c3882871c07358450544
SHA16dd00c5f29490e210639ac155e732f7c33e746af
SHA256c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21
-
Filesize
273KB
MD50fcecac14065f03c4f83bf5ae6ac415b
SHA1f71aa4708e16a2a3bf15e2a99cc0ce609b08769b
SHA25679f4527215b4a213f69cf618440202131afa6eb61d2bc6046b718dd4b4ddb787
SHA51249195c9f00c434228dd76151042dc03f7f87b77438734861face0f4ec40391649ed784aaf82b756113a55d55126c9b18c27e44d0c47ca75564ea079eed161003
-
Filesize
208KB
MD5380575fdf47f22e24cc214c89f098f9d
SHA15d5584fab3dc5267ffacfd4c331555f4f7703fb6
SHA25604fc572ba5e2e941d3510ed1504cc04490c7f5ff3ec651e6c8ffd6645ef2e0c9
SHA51270ce73ac9a14224c608e1ab60e21dd8bbd5ebcc8c75bb670c0861c8fc4a478965d39a450d32907ff90baa3a8a2fc9e50a9cc8d7385a330b373d3c9854cc8e7e2
-
Filesize
208KB
MD5307daeb15f74f7a7e5acb7c75d1cf664
SHA1ff0e1501a9818f05c3402cc6a758f02f4b5da241
SHA2560de5c816e73fceccc1d3264539a2855b04058e5d5bbf2b341d69066d6daefa34
SHA512ea9e0b3bb6696694991e85b3c3dc0a7a3644c6b11a5e75d31fb546207b2e3dfb14a050bc2629eacac995de62c00ea4d29941f278932837ee420e9aa67b11a5fa