Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 05:46
Static task
static1
Behavioral task
behavioral1
Sample
2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe
-
Size
838KB
-
MD5
2bee9df1419903f140ff65c7703c874e
-
SHA1
bfacd5769eeadd2e23338f0940ac90e4bc9aec7c
-
SHA256
f55becb79884a973b1119216aeb951fb088cc8abf41a8e31550eccbde3ba78d3
-
SHA512
67421befb7337b6959b58e4f6dd906e32330d03b361645e365fc8c52dfd282af353e43fb0152285d462356a352232aec5d454826fe6745341b3d62fab1fa7694
-
SSDEEP
24576:hnJi0+xxQCj7Kc2ckATjAC+HpFkSJVv1t/2JrbEO0L4lnfjZmR:FJi0+xxQCfHhkATjAC+HpFkSJVv1ZE/8
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Application.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts Application.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2564 netsh.exe -
Executes dropped EXE 4 IoCs
pid Process 2352 lostsaga.exe 2876 lostsagamgr.exe 2848 Application.exe 2664 WaterMark.exe -
Loads dropped DLL 3 IoCs
pid Process 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe 2876 lostsagamgr.exe 2876 lostsagamgr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\Application.exe" Application.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\lostsaga.exe 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lostsaga.exe 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2092 set thread context of 2352 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe 32 -
resource yara_rule behavioral1/memory/2876-49-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2664-68-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2352-69-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/2876-31-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2352-29-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/2876-46-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2876-45-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2876-42-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2352-39-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/2876-34-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2876-33-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2876-32-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2352-21-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/2352-18-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/2352-15-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/2352-14-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/2352-12-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/2352-28-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/2352-98-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/2664-685-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Management.Instrumentation.Resources.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\F12Tools.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_cycle_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\libglspectrum_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcer.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\F12.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\java_crw_demo.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libtransform_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\InkObj.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libaudiobargraph_v_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\mpvis.DLL svchost.exe File opened for modification C:\Program Files\Common Files\System\wab32res.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\INLAUNCH.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Utilities.v3.5.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libremap_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\flyout.html svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\vulkan-1.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\iedvtool.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\osclientcerts.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libddummy_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jli.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IO.Log.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libfluidsynth_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_hevc_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_dummy_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\tpcps.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsFormsIntegration.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Client.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libscte18_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsFormsIntegration.resources.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClient.resources.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\hxdsui.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdaremr.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_gather_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\WMPMediaSharing.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_stats_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscale_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libxa_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsfsstorage_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmpshare.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe svchost.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lostsaga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lostsagamgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe 2664 WaterMark.exe 2664 WaterMark.exe 2352 lostsaga.exe 2352 lostsaga.exe 2352 lostsaga.exe 2352 lostsaga.exe 2352 lostsaga.exe 2352 lostsaga.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2352 lostsaga.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2352 lostsaga.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2352 lostsaga.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2352 lostsaga.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2848 Application.exe 2352 lostsaga.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2848 Application.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe Token: SeDebugPrivilege 2664 WaterMark.exe Token: SeDebugPrivilege 2848 Application.exe Token: SeDebugPrivilege 1104 svchost.exe Token: SeDebugPrivilege 2352 lostsaga.exe Token: SeDebugPrivilege 2664 WaterMark.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2848 Application.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2876 lostsagamgr.exe 2664 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2564 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe 30 PID 2092 wrote to memory of 2564 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe 30 PID 2092 wrote to memory of 2564 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe 30 PID 2092 wrote to memory of 2564 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe 30 PID 2092 wrote to memory of 2352 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe 32 PID 2092 wrote to memory of 2352 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe 32 PID 2092 wrote to memory of 2352 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe 32 PID 2092 wrote to memory of 2352 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe 32 PID 2092 wrote to memory of 2352 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe 32 PID 2092 wrote to memory of 2352 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe 32 PID 2092 wrote to memory of 2352 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe 32 PID 2092 wrote to memory of 2352 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe 32 PID 2092 wrote to memory of 2352 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe 32 PID 2352 wrote to memory of 2876 2352 lostsaga.exe 33 PID 2352 wrote to memory of 2876 2352 lostsaga.exe 33 PID 2352 wrote to memory of 2876 2352 lostsaga.exe 33 PID 2352 wrote to memory of 2876 2352 lostsaga.exe 33 PID 2092 wrote to memory of 2848 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe 34 PID 2092 wrote to memory of 2848 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe 34 PID 2092 wrote to memory of 2848 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe 34 PID 2092 wrote to memory of 2848 2092 2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe 34 PID 2876 wrote to memory of 2664 2876 lostsagamgr.exe 35 PID 2876 wrote to memory of 2664 2876 lostsagamgr.exe 35 PID 2876 wrote to memory of 2664 2876 lostsagamgr.exe 35 PID 2876 wrote to memory of 2664 2876 lostsagamgr.exe 35 PID 2664 wrote to memory of 1004 2664 WaterMark.exe 36 PID 2664 wrote to memory of 1004 2664 WaterMark.exe 36 PID 2664 wrote to memory of 1004 2664 WaterMark.exe 36 PID 2664 wrote to memory of 1004 2664 WaterMark.exe 36 PID 2664 wrote to memory of 1004 2664 WaterMark.exe 36 PID 2664 wrote to memory of 1004 2664 WaterMark.exe 36 PID 2664 wrote to memory of 1004 2664 WaterMark.exe 36 PID 2664 wrote to memory of 1004 2664 WaterMark.exe 36 PID 2664 wrote to memory of 1004 2664 WaterMark.exe 36 PID 2664 wrote to memory of 1004 2664 WaterMark.exe 36 PID 2664 wrote to memory of 1104 2664 WaterMark.exe 37 PID 2664 wrote to memory of 1104 2664 WaterMark.exe 37 PID 2664 wrote to memory of 1104 2664 WaterMark.exe 37 PID 2664 wrote to memory of 1104 2664 WaterMark.exe 37 PID 2664 wrote to memory of 1104 2664 WaterMark.exe 37 PID 2664 wrote to memory of 1104 2664 WaterMark.exe 37 PID 2664 wrote to memory of 1104 2664 WaterMark.exe 37 PID 2664 wrote to memory of 1104 2664 WaterMark.exe 37 PID 2664 wrote to memory of 1104 2664 WaterMark.exe 37 PID 2664 wrote to memory of 1104 2664 WaterMark.exe 37 PID 1104 wrote to memory of 256 1104 svchost.exe 1 PID 1104 wrote to memory of 256 1104 svchost.exe 1 PID 1104 wrote to memory of 256 1104 svchost.exe 1 PID 1104 wrote to memory of 256 1104 svchost.exe 1 PID 1104 wrote to memory of 256 1104 svchost.exe 1 PID 1104 wrote to memory of 336 1104 svchost.exe 2 PID 1104 wrote to memory of 336 1104 svchost.exe 2 PID 1104 wrote to memory of 336 1104 svchost.exe 2 PID 1104 wrote to memory of 336 1104 svchost.exe 2 PID 1104 wrote to memory of 336 1104 svchost.exe 2 PID 1104 wrote to memory of 384 1104 svchost.exe 3 PID 1104 wrote to memory of 384 1104 svchost.exe 3 PID 1104 wrote to memory of 384 1104 svchost.exe 3 PID 1104 wrote to memory of 384 1104 svchost.exe 3 PID 1104 wrote to memory of 384 1104 svchost.exe 3 PID 1104 wrote to memory of 392 1104 svchost.exe 4 PID 1104 wrote to memory of 392 1104 svchost.exe 4 PID 1104 wrote to memory of 392 1104 svchost.exe 4 PID 1104 wrote to memory of 392 1104 svchost.exe 4
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:616
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1764
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1828
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:696
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:768
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:832
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1180
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:868
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:1820
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:980
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:292
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1012
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1080
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1128
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1064
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:1724
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2300
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2bee9df1419903f140ff65c7703c874e_JaffaCakes118.exe"2⤵
- Disables RegEdit via registry modification
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\netsh.exe"netsh.exe" firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2564
-
-
C:\lostsaga.exeC:\lostsaga.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\lostsagamgr.exeC:\lostsagamgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1004
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Application.exe"C:\Users\Admin\AppData\Roaming\Application.exe"3⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2848
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize197KB
MD51b9b236ddfa6c74c2a0ab5d10d8af6cf
SHA1e857e3f606d8351012b6bbd42748d2c84534bd2b
SHA256483ff58b58d4171f64eae71f985c86eecc2c52e254ec63ef9c206a5cf0878322
SHA512643a3609dd5ff21d9f5a523484bb25b98de19f04adf790163b905b59f3c348efa85f3fee40941aa42d077b76e01fe2792e07e6383b2d7613e030807c9720debf
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize193KB
MD53762e519f151ad521c4750278c2579fb
SHA1d87cf7234757260d669de1440dceecb3b627e1a2
SHA2568f8edaaa912258408983286e9f465301e44c7c045009756f3efbff8711b244a5
SHA512bf9f81eb33ac9da5054e3ca33ef874f3ef0870b24ce12825a6a8d4fc8f76cd6d087c115218b0f63a0fa696cc00d3008fbcc27dd1753f0585fdf456935481722d
-
Filesize
154KB
MD5c2004abcda1a230cf75da74a8b56a276
SHA162f8de3e2f270ffe96518ccf0e5bfbb444733031
SHA256e9945c6721d022e33508ad1326063bcdd12c67bc9d062db0f160ac058bc5e6cb
SHA512db31f45e604dce12e4010879475bccc094e4b215d30e329f8f1460d724a37ec649319006b0aa70a8e05d6779f2b184fcd31750e5ca784829338b2609df81a7e8
-
Filesize
2KB
MD54428c969f83fe0fb6bb2a635fe605bce
SHA115efa531bc399c5e92d72cf266f8e18b4ec78bb0
SHA256458b17876c0ea9ce182b9966f97d7617600ac6cb95c363cc7f33aec420424151
SHA5124896c3e06391a7caca83ae36fd2a093af81ad6165979ed23232fb35a4d85a7188ecbbc66e720c4cd3d86e4c5546848ce7b02e5d8e28cd02ca0c246b091e9d809
-
Filesize
92KB
MD5e015c13f29b01ce78e2c066674362ee5
SHA137ad4196953a2741d1bd52aed19f82f9947f119d
SHA256c062802dfa0fcd5fdba4feef534d80e8686a3a5de9fe441848d0a08433bf07d9
SHA512c5da6b6424d713df43e5c6dad91d21a74db3a6c5adbbee48d6d9238cbf7d554ecbaf46a37aa9e38db583ede5c2c295c82e5703e17b35fc3a5c0dcf504544bc36