f1237a50fd17301f0bb52462bdae3c3bd4647e7b92a9843bb1beafe40a0bcb3d

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/10/2024, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

269e0491e7c1a47010f538856e543042_JaffaCakes118.exe
Size

26KB
MD5

269e0491e7c1a47010f538856e543042
SHA1

44a7d4af4ba59b4ea9bec696d122c35f829586eb
SHA256

f1237a50fd17301f0bb52462bdae3c3bd4647e7b92a9843bb1beafe40a0bcb3d
SHA512

5ce61129ddb198b5d3749dca22df81beb9b54b3c9f5a3dac911aeec9450d9b42e1c7301a8f175e4f43da30cae574f87710c65c29105e612335ef1f74d97c494a
SSDEEP

384:1M3PnQoHDCpHf4I4Qwdc0G5KDJ9MFoe7vfO1Ld7:1m/QojCpHfx09MF3vgLd7

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	269e0491e7c1a47010f538856e543042_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
2764	winlogon.exe
2644	AE 0124 BE.exe
2892	winlogon.exe
2736	winlogon.exe

Loads dropped DLL 8 IoCs

pid	Process
2424	269e0491e7c1a47010f538856e543042_JaffaCakes118.exe
2424	269e0491e7c1a47010f538856e543042_JaffaCakes118.exe
2764	winlogon.exe
2764	winlogon.exe
2892	winlogon.exe
2644	AE 0124 BE.exe
2644	AE 0124 BE.exe
2736	winlogon.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 28 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiabr006.inf_amd64_neutral_0232ca4f23224d01\wiabr006.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\powercfg.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\prnts002.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netk57a.inf_amd64_neutral_8b26ad5d0cc037a9	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cxraptor_fm1216mk5_ibv64.inf_amd64_neutral_3eaae75b591bd148\cxraptor_FM1216MK5_IBV64.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\dnscacheugc.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\NlsLexicons0024.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\DWWIN.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep304.inf_amd64_ja-jp_27c560b15d9928c0\Amd64\EP7MDL0Q.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx005.inf_amd64_neutral_f65eeb9bff6bd8f3\Amd64\LMT634.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\Amd64\NR9100D6.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\OEM\StarterE\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\dssec.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\pnidui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\mpio.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgatew.inf_amd64_neutral_84eee4cc19fd00dc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\NAPMONTR.DLL.MUI	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\xpsrchvw.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netb57va.inf_amd64_neutral_6264e97d4fc12211\netb57va.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netvfx64.inf_amd64_neutral_194cb6d2ea3a486e\netvfx64.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\hpoa1nd.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\nshipsec.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\C_20001.NLS	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep00a.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmracal.inf_amd64_neutral_857b8ff74e5a7073\mdmracal.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\sppcomapi.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\eval\ProfessionalN	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\winsrv.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\prnlx007.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\dssec.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph6xib64c1.inf_amd64_neutral_68c99681343e9b68\Ph6xIB64MV.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-Bluetooth-Config\BthMigPlugin.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\C_21025.NLS	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\IPHLPAPI.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\ts_wpdmtp.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_neutral_f77725472d91b1d1	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\bthprint.inf_amd64_neutral_3c11362fa327f5a4\bthprint.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ks.inf_amd64_neutral_2b583ce4a6a029a1\ks.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\Amd64\RIA3010.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv002.inf_amd64_neutral_6ca80563d6148ee5\Amd64\SV8070.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\cpfilters.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\wlanpref.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\hpsamd.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaxx002.inf_amd64_neutral_fbe080a7dd77c4a3\xrWPpb4.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\dc21x4vm.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\CSRR.rs.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\TerminalServices-AppServer-Licensing-replacement.man	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\powershell.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\Amd64\NRC6000.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mtstocom.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnbr003.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netl1c64.inf_amd64_neutral_30b0b06f47cab8cf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\EhStorShell.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\EnterpriseN\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\mof.xsl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\osk.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it\AuthFWWizFwk.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\authfwcfg.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\mspaint.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\OEM\Enterprise\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\mcicda.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\odbcji32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVR18.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wialx003.inf_amd64_neutral_db618863f9347f9a\wialx003.PNF	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\MSDTC Bridge 4.0.0.0\0416\_TransactionBridgePerfCounters.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-t..tion-core.resources_31bf3856ad364e35_6.1.7600.16385_es-es_281669809605b913	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_wiabr006.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d74bc45bcdcee83f\wiabr006.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-main.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_38696c18b8b83621.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_tpm.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b407ce57a4162dc8.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-alg.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_df6e5718e33fb3ee\alg.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_9b79043567dee40c\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmbr005.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1da7b47b4dd36814\BrSerIb.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-iexpress.resources_31bf3856ad364e35_8.0.7600.16385_en-us_9a34be91b5863879\wextract.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-time-tool.resources_31bf3856ad364e35_6.1.7601.17514_en-us_809d3bb22eaa0382\w32tm.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\nfsrc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_prnca00x.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_fr-fr_0b4e588d7bba165e.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\msil_system.printing.resources_31bf3856ad364e35_6.1.7600.16385_es-es_90f754daa0d640f3.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-n..orkcenter.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3faa671a376a6a56.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-openfiles.resources_31bf3856ad364e35_6.1.7600.16385_es-es_78f55c28dac4a01a\openfiles.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-wmpnss-api.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ef8fad68f797468d.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-t..nvservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1693f82b65a2d7cc.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-gisha_31bf3856ad364e35_6.1.7600.16385_none_9cb7ddca79444d70	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9c303c8bce24ecf\AxInstSv.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\FileMaps\$$_boot_pcat_cs-cz_da8bfa0c28cad1cc.cdf-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\FileMaps\$$_inf_servicemodelendpoint_3.0.0.0_0000_1441b5e36e0dde07.cdf-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-r..oyment-languagepack_31bf3856ad364e35_6.1.7601.17514_it-it_0e4e9599723fa009.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-speech-iekillbits_31bf3856ad364e35_6.1.7600.16385_none_a0d1eae76e2d1cb6.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-t..stringime.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b85cbe096064b9bb.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Power\es-ES\Power_Troubleshooter.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\bda.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_server-help-chm.perfmon.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1bb55f2ad31f8fc5\perfmon.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-ntlanman.resources_31bf3856ad364e35_6.1.7600.16385_de-de_eec5a30173304188.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..nguageautodetection_31bf3856ad364e35_6.1.7600.16385_none_1cf3ab846377af87.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_netfx-aspnet_webadmin_prov_res_b03f5f7f11d50a3a_6.1.7600.16385_none_6eabfbd9c29ea607.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_hal.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_de-de_54306e5d08f21051.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-usbceip_31bf3856ad364e35_6.1.7600.16385_none_00d405a78e7c4a30.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\msil_microsoft.tpm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_97a55618ccc227c7\microsoft.tpm.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-r..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2df33a926479c43d\cmmon32.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\es\Microsoft.JScript.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-bubbles.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cbfa32a8fea20f26	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-yibaiti_31bf3856ad364e35_6.1.7600.16385_none_b436b1f0d44f46f1\msyi.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ssettings.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d3f17da70bee0f28\Wpc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-r..sisengine.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b15a73888fb2674d\racengn.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_prnbr004.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f0d430ebb73eaed.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-c..lter-html.resources_31bf3856ad364e35_7.0.7600.16385_ja-jp_4ca2a9c889b14516.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1033\vbc7ui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_pcmcia.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2704f2b7c177fbfc\pcmcia.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\FileMaps\$$_system32_it-it_licenses_eval_starter_8f4fc40e0e4543a2.cdf-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-n..35wpfcomp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_981bb108a193e625.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-optionaltsps.resources_31bf3856ad364e35_6.1.7600.16385_es-es_42410cf2f0de8c35\tcmsetup.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-iis-metabase.resources_31bf3856ad364e35_6.1.7600.16385_it-it_714c780c0f33b227\iscomlog.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-security-kerberos_31bf3856ad364e35_6.1.7601.17514_none_44fce29ac76d1a39\kerberos.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-u..lsettings.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9be399f36d1b1ff8\UserAccountControlSettings.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnbr002.inf_31bf3856ad364e35_6.1.7600.16385_none_49c93aa2c4304e9e\Amd64\BRCI06A.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-dot3-netsh-helper_31bf3856ad364e35_6.1.7601.17514_none_38cd19d2dab6f4ad.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-getuname.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e794bdad50a953ef.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1033\FileTrackerUI.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ackgammon.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c2618715ea4ed58f	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-taskkill.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5c3db67537ec1a5d.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-photosamples.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_28b530d6f923d5ac.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-imapiv2-base.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_07c24db6284f4de4\imapi2.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\winusb.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_amdsata.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9c21da54655fab3d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-lmhsvc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_97b87d613674f022	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-upnpssdp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_52db6a1d49fd646a\ssdpsrv.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-help-appman_31bf3856ad364e35_6.1.7600.16385_none_7f36184ce0a3b532.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\msil_microsoft.iis.power...provider.resources_31bf3856ad364e35_6.1.7601.17514_en-us_eee506200bd43e29\Microsoft.IIS.PowerShell.Provider.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-directx-direct3d8_31bf3856ad364e35_6.1.7600.16385_none_c222c27ec21ab213.manifest	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AE 0124 BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	269e0491e7c1a47010f538856e543042_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2432	DllHost.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2424	269e0491e7c1a47010f538856e543042_JaffaCakes118.exe
2764	winlogon.exe
2644	AE 0124 BE.exe
2892	winlogon.exe
2736	winlogon.exe
2432	DllHost.exe
2432	DllHost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2764	2424	269e0491e7c1a47010f538856e543042_JaffaCakes118.exe	31
PID 2424 wrote to memory of 2764	2424	269e0491e7c1a47010f538856e543042_JaffaCakes118.exe	31
PID 2424 wrote to memory of 2764	2424	269e0491e7c1a47010f538856e543042_JaffaCakes118.exe	31
PID 2424 wrote to memory of 2764	2424	269e0491e7c1a47010f538856e543042_JaffaCakes118.exe	31
PID 2764 wrote to memory of 2644	2764	winlogon.exe	32
PID 2764 wrote to memory of 2644	2764	winlogon.exe	32
PID 2764 wrote to memory of 2644	2764	winlogon.exe	32
PID 2764 wrote to memory of 2644	2764	winlogon.exe	32
PID 2764 wrote to memory of 2892	2764	winlogon.exe	33
PID 2764 wrote to memory of 2892	2764	winlogon.exe	33
PID 2764 wrote to memory of 2892	2764	winlogon.exe	33
PID 2764 wrote to memory of 2892	2764	winlogon.exe	33
PID 2644 wrote to memory of 2736	2644	AE 0124 BE.exe	34
PID 2644 wrote to memory of 2736	2644	AE 0124 BE.exe	34
PID 2644 wrote to memory of 2736	2644	AE 0124 BE.exe	34
PID 2644 wrote to memory of 2736	2644	AE 0124 BE.exe	34

C:\Users\Admin\AppData\Local\Temp\269e0491e7c1a47010f538856e543042_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\269e0491e7c1a47010f538856e543042_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2736
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2892

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.bmp

Filesize
26KB

MD5
0d9c9359e346ef632c2108c104e36c05

SHA1
2d74ef26d137a4acec487f122ce797b98d002b70

SHA256
cf5e9016fd478aa56458e0456224f66bd50ec3009c0dd19689feab9c656b843a

SHA512
eb780568a4ff8ad230b08c67c8645c8f820433242145fb59e790e9a961a8917e653796681b26ee615d79f29b7186c52c6e7eddca3115dc9bb6f9f9dcdcfce7d1

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
e26e215c3645e9da7b826e1afb56ae97

SHA1
47e4f926cb72617dfe0026aa1472896eb2da659f

SHA256
fe2315e195061f11b6e2091c5a8e763adc1b880fa5b53e3bbbe65127585f509d

SHA512
876ac72710da29428bb784dcfd7036d5c907f3a7f061c645002eb0dc7bd044618c4dbdd8cca1aab3fd358eb048f374eb2207e483dc0a62b917cd04e85ce4f59e

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
memory/2424-13-0x0000000003D40000-0x00000000047FA000-memory.dmp

Filesize
10.7MB

Download
memory/2424-5-0x0000000002C70000-0x0000000002C72000-memory.dmp

Filesize
8KB

Download
memory/2432-12-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2432-6-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2432-172-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2644-49-0x0000000003120000-0x0000000003BDA000-memory.dmp

Filesize
10.7MB

Download
memory/2644-273-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2644-351-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2736-70-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2736-71-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2764-45-0x0000000003460000-0x0000000003F1A000-memory.dmp

Filesize
10.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads