432d9fbf7c68caf68fce7f533e3d00a2876a1e99bce4168a4946766a8dd4e93e

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-10-2024 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe
Size

20KB
MD5

17b4cacaa258654d10cbf083d0d3c350
SHA1

7cb87f63202cde1e18deb0f7d18e8083c9ec2225
SHA256

432d9fbf7c68caf68fce7f533e3d00a2876a1e99bce4168a4946766a8dd4e93e
SHA512

c35b9908dc136fe280a1979c3e4dc956c15ec929fbcb6bbd2a3cd707d048a7880d2db96e0df12213f44552ad0f84930e47112732e154cbee8a341d15f88d3efd
SSDEEP

384:g58AcUoUQKNRYELxQUHDvmk3E+KDvB77777J77c77c77c72qh5eZEKup9Ebir:g5BOFKksO1mE9B77777J77c77c77c71b

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\3A3356.exe\""	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\3A3356.exe\""	3A3356.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\3A3356.exe\""	3A3356RQSUQT.exe

Executes dropped EXE 5 IoCs

pid	Process
2888	3A3356.exe
1852	3A3356RQSUQT.exe
3024	3A3356RQSUQT.exe
2968	3A3356.exe
2728	3A3356.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3A3356.exe = "C:\\Windows\\3A3356.exe"	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3A3356.exe = "C:\\Windows\\3A3356.exe"	3A3356.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3A3356.exe = "C:\\Windows\\3A3356.exe"	3A3356RQSUQT.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0007000000016652-6.dat	upx
behavioral1/memory/2888-14-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0008000000016858-18.dat	upx
behavioral1/memory/3024-23-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/3024-29-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2968-35-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2728-41-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2236-43-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2888-44-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1852-45-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2888-47-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1852-48-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2888-49-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1852-50-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2888-51-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1852-52-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2888-53-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1852-54-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2888-55-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1852-56-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2888-57-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1852-58-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2888-59-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1852-60-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1852-62-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2888-61-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2888-63-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1852-64-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1852-66-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2888-67-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1852-68-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1852-70-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2888-69-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2888-71-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1852-72-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2888-73-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1852-74-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\3A3356.exe	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe
File opened for modification	C:\Windows\3A3356RQSUQT.exe	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3A3356.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3A3356RQSUQT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3A3356.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3A3356RQSUQT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3A3356.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe

Kills process with taskkill 42 IoCs

evasion

pid	Process
2544	TASKKILL.exe
3044	TASKKILL.exe
2720	TASKKILL.exe
1076	TASKKILL.exe
3064	TASKKILL.exe
1536	TASKKILL.exe
1920	TASKKILL.exe
1156	TASKKILL.exe
2816	TASKKILL.exe
1160	TASKKILL.exe
2504	TASKKILL.exe
3068	TASKKILL.exe
2980	TASKKILL.exe
1980	TASKKILL.exe
988	TASKKILL.exe
1704	TASKKILL.exe
2232	TASKKILL.exe
2288	TASKKILL.exe
2148	TASKKILL.exe
1444	TASKKILL.exe
1524	TASKKILL.exe
1484	TASKKILL.exe
3008	TASKKILL.exe
2916	TASKKILL.exe
1376	TASKKILL.exe
3032	TASKKILL.exe
2852	TASKKILL.exe
932	TASKKILL.exe
2404	TASKKILL.exe
2320	TASKKILL.exe
836	TASKKILL.exe
1928	TASKKILL.exe
1956	TASKKILL.exe
1368	TASKKILL.exe
1676	TASKKILL.exe
2488	TASKKILL.exe
2708	TASKKILL.exe
460	TASKKILL.exe
2240	TASKKILL.exe
2860	TASKKILL.exe
2052	TASKKILL.exe
688	TASKKILL.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	TASKKILL.exe
Token: SeDebugPrivilege	1920	TASKKILL.exe
Token: SeDebugPrivilege	2404	TASKKILL.exe
Token: SeDebugPrivilege	2320	TASKKILL.exe
Token: SeDebugPrivilege	3044	TASKKILL.exe
Token: SeDebugPrivilege	2544	TASKKILL.exe
Token: SeDebugPrivilege	2708	TASKKILL.exe
Token: SeDebugPrivilege	2720	TASKKILL.exe
Token: SeDebugPrivilege	2860	TASKKILL.exe
Token: SeDebugPrivilege	2148	TASKKILL.exe
Token: SeDebugPrivilege	2816	TASKKILL.exe
Token: SeDebugPrivilege	3032	TASKKILL.exe
Token: SeDebugPrivilege	2980	TASKKILL.exe
Token: SeDebugPrivilege	1156	TASKKILL.exe
Token: SeDebugPrivilege	3068	TASKKILL.exe
Token: SeDebugPrivilege	1160	TASKKILL.exe
Token: SeDebugPrivilege	2504	TASKKILL.exe
Token: SeDebugPrivilege	1980	TASKKILL.exe
Token: SeDebugPrivilege	836	TASKKILL.exe
Token: SeDebugPrivilege	1484	TASKKILL.exe
Token: SeDebugPrivilege	1928	TASKKILL.exe
Token: SeDebugPrivilege	1524	TASKKILL.exe
Token: SeDebugPrivilege	2052	TASKKILL.exe
Token: SeDebugPrivilege	2852	TASKKILL.exe
Token: SeDebugPrivilege	1076	TASKKILL.exe
Token: SeDebugPrivilege	460	TASKKILL.exe
Token: SeDebugPrivilege	3064	TASKKILL.exe
Token: SeDebugPrivilege	1444	TASKKILL.exe
Token: SeDebugPrivilege	1956	TASKKILL.exe
Token: SeDebugPrivilege	1536	TASKKILL.exe
Token: SeDebugPrivilege	988	TASKKILL.exe
Token: SeDebugPrivilege	2916	TASKKILL.exe
Token: SeDebugPrivilege	688	TASKKILL.exe
Token: SeDebugPrivilege	1376	TASKKILL.exe
Token: SeDebugPrivilege	1676	TASKKILL.exe
Token: SeDebugPrivilege	3008	TASKKILL.exe
Token: SeDebugPrivilege	1368	TASKKILL.exe
Token: SeDebugPrivilege	932	TASKKILL.exe
Token: SeDebugPrivilege	1704	TASKKILL.exe
Token: SeDebugPrivilege	2288	TASKKILL.exe
Token: SeDebugPrivilege	2232	TASKKILL.exe
Token: SeDebugPrivilege	2488	TASKKILL.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe
2888	3A3356.exe
1852	3A3356RQSUQT.exe
3024	3A3356RQSUQT.exe
2968	3A3356.exe
2728	3A3356.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2148	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2148	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2148	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2148	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	30
PID 2236 wrote to memory of 1920	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	31
PID 2236 wrote to memory of 1920	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	31
PID 2236 wrote to memory of 1920	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	31
PID 2236 wrote to memory of 1920	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	31
PID 2236 wrote to memory of 2544	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	33
PID 2236 wrote to memory of 2544	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	33
PID 2236 wrote to memory of 2544	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	33
PID 2236 wrote to memory of 2544	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	33
PID 2236 wrote to memory of 2240	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	34
PID 2236 wrote to memory of 2240	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	34
PID 2236 wrote to memory of 2240	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	34
PID 2236 wrote to memory of 2240	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	34
PID 2236 wrote to memory of 3032	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	37
PID 2236 wrote to memory of 3032	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	37
PID 2236 wrote to memory of 3032	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	37
PID 2236 wrote to memory of 3032	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	37
PID 2236 wrote to memory of 3044	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	38
PID 2236 wrote to memory of 3044	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	38
PID 2236 wrote to memory of 3044	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	38
PID 2236 wrote to memory of 3044	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	38
PID 2236 wrote to memory of 2404	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	40
PID 2236 wrote to memory of 2404	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	40
PID 2236 wrote to memory of 2404	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	40
PID 2236 wrote to memory of 2404	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	40
PID 2236 wrote to memory of 2320	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	42
PID 2236 wrote to memory of 2320	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	42
PID 2236 wrote to memory of 2320	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	42
PID 2236 wrote to memory of 2320	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	42
PID 2236 wrote to memory of 2708	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	44
PID 2236 wrote to memory of 2708	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	44
PID 2236 wrote to memory of 2708	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	44
PID 2236 wrote to memory of 2708	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	44
PID 2236 wrote to memory of 1156	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	45
PID 2236 wrote to memory of 1156	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	45
PID 2236 wrote to memory of 1156	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	45
PID 2236 wrote to memory of 1156	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	45
PID 2236 wrote to memory of 2720	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	48
PID 2236 wrote to memory of 2720	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	48
PID 2236 wrote to memory of 2720	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	48
PID 2236 wrote to memory of 2720	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	48
PID 2236 wrote to memory of 2980	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	49
PID 2236 wrote to memory of 2980	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	49
PID 2236 wrote to memory of 2980	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	49
PID 2236 wrote to memory of 2980	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	49
PID 2236 wrote to memory of 2816	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	51
PID 2236 wrote to memory of 2816	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	51
PID 2236 wrote to memory of 2816	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	51
PID 2236 wrote to memory of 2816	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	51
PID 2236 wrote to memory of 2860	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	52
PID 2236 wrote to memory of 2860	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	52
PID 2236 wrote to memory of 2860	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	52
PID 2236 wrote to memory of 2860	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	52
PID 2236 wrote to memory of 2888	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	58
PID 2236 wrote to memory of 2888	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	58
PID 2236 wrote to memory of 2888	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	58
PID 2236 wrote to memory of 2888	2236	17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe	58
PID 2888 wrote to memory of 3068	2888	3A3356.exe	59
PID 2888 wrote to memory of 3068	2888	3A3356.exe	59
PID 2888 wrote to memory of 3068	2888	3A3356.exe	59
PID 2888 wrote to memory of 3068	2888	3A3356.exe	59

C:\Users\Admin\AppData\Local\Temp\17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17b4cacaa258654d10cbf083d0d3c350_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\3A3356.exe
  C:\Windows\3A3356.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM services.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:460
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2504
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM services.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1076
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:836
- - C:\Windows\3A3356RQSUQT.exe
    C:\Windows\3A3356RQSUQT.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1852
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1956
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3008
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2916
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1536
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:988
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1368
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1676
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:688
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1376
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:932
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2288
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2232
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1704
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2488
  - - C:\Windows\3A3356RQSUQT.exe
      C:\Windows\3A3356RQSUQT.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3024
  - - C:\Windows\3A3356.exe
      C:\Windows\3A3356.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2968
- - C:\Windows\3A3356.exe
    C:\Windows\3A3356.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\3A3356.exe

Filesize
26KB

MD5
1a489fd7ae5090948b2b57055be535eb

SHA1
4748a848aff6938f5ada7a6623874f6b002ea608

SHA256
1fb696ec6ff29ba9d7aa44e2d2f5e2732f7ace8ca5c8d6ab488acf405bee6914

SHA512
d9de3c1802c78b042bea358bf845be89238a525b9777dd75f1357869555d8682b1b56a1424bcd040658e6ed937cb9e248a3b0094548f4b924b5bc7c7cb924c79

Download Submit
C:\Windows\3A3356RQSUQT.exe

Filesize
19KB

MD5
5370049775145dcdd5f460c4485ac19a

SHA1
fb28dcb13313af206430c3bc6c45926c84e0d778

SHA256
5132e35faa493b484c94d791662414be61141274199acce2bda93774045cbb8a

SHA512
cc876267bcc800428f9da9df618c2fea9230adbcd07883d7f15a3b1eeb4414eec8487dd4557127b3f8c8a8058d45e31713f543f9688359d98de937871788a645

Download Submit
memory/1852-62-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1852-54-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1852-72-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1852-74-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1852-70-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1852-30-0x0000000000330000-0x000000000033F000-memory.dmp

Filesize
60KB

Download
memory/1852-68-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1852-66-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1852-56-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1852-52-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1852-64-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1852-45-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1852-46-0x0000000000330000-0x000000000033F000-memory.dmp

Filesize
60KB

Download
memory/1852-58-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1852-48-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1852-60-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1852-50-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2236-12-0x00000000002E0000-0x00000000002EF000-memory.dmp

Filesize
60KB

Download
memory/2236-43-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2236-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2728-41-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2888-63-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2888-14-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2888-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2888-51-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2888-59-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2888-49-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2888-47-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2888-61-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2888-57-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2888-53-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2888-67-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2888-44-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2888-73-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2888-19-0x0000000000260000-0x000000000026F000-memory.dmp

Filesize
60KB

Download
memory/2888-69-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2888-71-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2968-35-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3024-23-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3024-29-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads