Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14-10-2024 20:02
Static task
static1
Behavioral task
behavioral1
Sample
43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe
-
Size
374KB
-
MD5
43f37415ce56073c5259ee06325c9561
-
SHA1
9a52363cc87982db4389e66afc23d3d5b19ca120
-
SHA256
f977ef11e8cafc36f65eac224eb6beb3da9e210376f529ab193e55e9d9b689a4
-
SHA512
23cd1519ce284497f5ff6155415ae5fc137ea4346490ddc48b4760f85350b680b9de8a7d7f46beb1587ba8e996fe4316c10c2fa5f4c09ae9bcaf923b3d42867a
-
SSDEEP
6144:CMjLpLlFnV2VsUqiifR55Aj4wWHA90EVb2/1T6LHcGQ2s8Yg6FxOp63RPE9YG8yH:vt8VtqiifjOj4wWcLbY6zRo8COpExgYG
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$pid Process 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$notepad.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" notepad.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$description pid Process procid_target PID 2648 set thread context of 2616 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 32 -
Processes:
resource yara_rule behavioral1/files/0x0008000000015cb6-7.dat upx behavioral1/memory/2648-10-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral1/memory/2616-80-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral1/memory/2616-78-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral1/memory/2616-84-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral1/memory/2648-82-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral1/memory/2616-77-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral1/memory/2616-87-0x0000000013140000-0x000000001322D000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
explorer.exeoTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$notepad.exenotepad.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exeoTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$explorer.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeSecurityPrivilege 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeTakeOwnershipPrivilege 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeLoadDriverPrivilege 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeSystemProfilePrivilege 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeSystemtimePrivilege 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeProfSingleProcessPrivilege 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeIncBasePriorityPrivilege 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeCreatePagefilePrivilege 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeBackupPrivilege 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeRestorePrivilege 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeShutdownPrivilege 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeDebugPrivilege 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeSystemEnvironmentPrivilege 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeChangeNotifyPrivilege 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeRemoteShutdownPrivilege 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeUndockPrivilege 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeManageVolumePrivilege 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeImpersonatePrivilege 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeCreateGlobalPrivilege 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: 33 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: 34 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: 35 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeIncreaseQuotaPrivilege 2616 explorer.exe Token: SeSecurityPrivilege 2616 explorer.exe Token: SeTakeOwnershipPrivilege 2616 explorer.exe Token: SeLoadDriverPrivilege 2616 explorer.exe Token: SeSystemProfilePrivilege 2616 explorer.exe Token: SeSystemtimePrivilege 2616 explorer.exe Token: SeProfSingleProcessPrivilege 2616 explorer.exe Token: SeIncBasePriorityPrivilege 2616 explorer.exe Token: SeCreatePagefilePrivilege 2616 explorer.exe Token: SeBackupPrivilege 2616 explorer.exe Token: SeRestorePrivilege 2616 explorer.exe Token: SeShutdownPrivilege 2616 explorer.exe Token: SeDebugPrivilege 2616 explorer.exe Token: SeSystemEnvironmentPrivilege 2616 explorer.exe Token: SeChangeNotifyPrivilege 2616 explorer.exe Token: SeRemoteShutdownPrivilege 2616 explorer.exe Token: SeUndockPrivilege 2616 explorer.exe Token: SeManageVolumePrivilege 2616 explorer.exe Token: SeImpersonatePrivilege 2616 explorer.exe Token: SeCreateGlobalPrivilege 2616 explorer.exe Token: 33 2616 explorer.exe Token: 34 2616 explorer.exe Token: 35 2616 explorer.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
43f37415ce56073c5259ee06325c9561_JaffaCakes118.exeoTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$description pid Process procid_target PID 2200 wrote to memory of 2648 2200 43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe 30 PID 2200 wrote to memory of 2648 2200 43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe 30 PID 2200 wrote to memory of 2648 2200 43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe 30 PID 2200 wrote to memory of 2648 2200 43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe 30 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2788 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 31 PID 2648 wrote to memory of 2616 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 32 PID 2648 wrote to memory of 2616 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 32 PID 2648 wrote to memory of 2616 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 32 PID 2648 wrote to memory of 2616 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 32 PID 2648 wrote to memory of 2616 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 32 PID 2648 wrote to memory of 2616 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 32 PID 2648 wrote to memory of 2580 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33 PID 2648 wrote to memory of 2580 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33 PID 2648 wrote to memory of 2580 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33 PID 2648 wrote to memory of 2580 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33 PID 2648 wrote to memory of 2580 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33 PID 2648 wrote to memory of 2580 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33 PID 2648 wrote to memory of 2580 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33 PID 2648 wrote to memory of 2580 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33 PID 2648 wrote to memory of 2580 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33 PID 2648 wrote to memory of 2580 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33 PID 2648 wrote to memory of 2580 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33 PID 2648 wrote to memory of 2580 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33 PID 2648 wrote to memory of 2580 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33 PID 2648 wrote to memory of 2580 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33 PID 2648 wrote to memory of 2580 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33 PID 2648 wrote to memory of 2580 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33 PID 2648 wrote to memory of 2580 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33 PID 2648 wrote to memory of 2580 2648 oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$C:\Users\Admin\AppData\Local\Temp\oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2788
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵
- System Location Discovery: System Language Discovery
PID:2580
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Filesize340KB
MD5e4dd035d5fc3a0570c72a84d06480645
SHA1e7b8526379ab2b5a6685eacf6014d89e03abc361
SHA256bb18ea9a23f03bd48f0e55b7cf20c25ea6a84c844ad1a97707f56fd6e327cd37
SHA512ad5f03038ecfa17f97e973adb469d8805252bb34cda54d63a67f6b2997cae5933feb97355631262a072c8b29701d776801de792013948e8537c14c6e1a8fca12