Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2024 20:02
Static task
static1
Behavioral task
behavioral1
Sample
43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe
-
Size
374KB
-
MD5
43f37415ce56073c5259ee06325c9561
-
SHA1
9a52363cc87982db4389e66afc23d3d5b19ca120
-
SHA256
f977ef11e8cafc36f65eac224eb6beb3da9e210376f529ab193e55e9d9b689a4
-
SHA512
23cd1519ce284497f5ff6155415ae5fc137ea4346490ddc48b4760f85350b680b9de8a7d7f46beb1587ba8e996fe4316c10c2fa5f4c09ae9bcaf923b3d42867a
-
SSDEEP
6144:CMjLpLlFnV2VsUqiifR55Aj4wWHA90EVb2/1T6LHcGQ2s8Yg6FxOp63RPE9YG8yH:vt8VtqiifjOj4wWcLbY6zRo8COpExgYG
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$pid Process 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$notepad.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" notepad.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$description pid Process procid_target PID 3420 set thread context of 1824 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 88 -
Processes:
resource yara_rule behavioral2/files/0x0008000000023c89-10.dat upx behavioral2/memory/3420-11-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral2/memory/1824-18-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral2/memory/1824-23-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral2/memory/1824-25-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral2/memory/3420-27-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral2/memory/1824-24-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral2/memory/1824-21-0x0000000013140000-0x000000001322D000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
notepad.exeoTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$notepad.exeexplorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exeoTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$explorer.exedescription pid Process Token: SeIncreaseQuotaPrivilege 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeSecurityPrivilege 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeTakeOwnershipPrivilege 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeLoadDriverPrivilege 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeSystemProfilePrivilege 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeSystemtimePrivilege 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeProfSingleProcessPrivilege 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeIncBasePriorityPrivilege 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeCreatePagefilePrivilege 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeBackupPrivilege 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeRestorePrivilege 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeShutdownPrivilege 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeDebugPrivilege 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeSystemEnvironmentPrivilege 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeChangeNotifyPrivilege 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeRemoteShutdownPrivilege 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeUndockPrivilege 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeManageVolumePrivilege 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeImpersonatePrivilege 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeCreateGlobalPrivilege 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: 33 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: 34 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: 35 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: 36 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Token: SeIncreaseQuotaPrivilege 1824 explorer.exe Token: SeSecurityPrivilege 1824 explorer.exe Token: SeTakeOwnershipPrivilege 1824 explorer.exe Token: SeLoadDriverPrivilege 1824 explorer.exe Token: SeSystemProfilePrivilege 1824 explorer.exe Token: SeSystemtimePrivilege 1824 explorer.exe Token: SeProfSingleProcessPrivilege 1824 explorer.exe Token: SeIncBasePriorityPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe Token: SeBackupPrivilege 1824 explorer.exe Token: SeRestorePrivilege 1824 explorer.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeDebugPrivilege 1824 explorer.exe Token: SeSystemEnvironmentPrivilege 1824 explorer.exe Token: SeChangeNotifyPrivilege 1824 explorer.exe Token: SeRemoteShutdownPrivilege 1824 explorer.exe Token: SeUndockPrivilege 1824 explorer.exe Token: SeManageVolumePrivilege 1824 explorer.exe Token: SeImpersonatePrivilege 1824 explorer.exe Token: SeCreateGlobalPrivilege 1824 explorer.exe Token: 33 1824 explorer.exe Token: 34 1824 explorer.exe Token: 35 1824 explorer.exe Token: 36 1824 explorer.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
43f37415ce56073c5259ee06325c9561_JaffaCakes118.exeoTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$description pid Process procid_target PID 5056 wrote to memory of 3420 5056 43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe 84 PID 5056 wrote to memory of 3420 5056 43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe 84 PID 5056 wrote to memory of 3420 5056 43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe 84 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 4356 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 87 PID 3420 wrote to memory of 1824 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 88 PID 3420 wrote to memory of 1824 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 88 PID 3420 wrote to memory of 1824 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 88 PID 3420 wrote to memory of 1824 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 88 PID 3420 wrote to memory of 1824 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 88 PID 3420 wrote to memory of 3096 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 89 PID 3420 wrote to memory of 3096 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 89 PID 3420 wrote to memory of 3096 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 89 PID 3420 wrote to memory of 3096 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 89 PID 3420 wrote to memory of 3096 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 89 PID 3420 wrote to memory of 3096 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 89 PID 3420 wrote to memory of 3096 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 89 PID 3420 wrote to memory of 3096 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 89 PID 3420 wrote to memory of 3096 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 89 PID 3420 wrote to memory of 3096 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 89 PID 3420 wrote to memory of 3096 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 89 PID 3420 wrote to memory of 3096 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 89 PID 3420 wrote to memory of 3096 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 89 PID 3420 wrote to memory of 3096 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 89 PID 3420 wrote to memory of 3096 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 89 PID 3420 wrote to memory of 3096 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 89 PID 3420 wrote to memory of 3096 3420 oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$C:\Users\Admin\AppData\Local\Temp\oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4356
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵
- System Location Discovery: System Language Discovery
PID:3096
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Filesize340KB
MD5e4dd035d5fc3a0570c72a84d06480645
SHA1e7b8526379ab2b5a6685eacf6014d89e03abc361
SHA256bb18ea9a23f03bd48f0e55b7cf20c25ea6a84c844ad1a97707f56fd6e327cd37
SHA512ad5f03038ecfa17f97e973adb469d8805252bb34cda54d63a67f6b2997cae5933feb97355631262a072c8b29701d776801de792013948e8537c14c6e1a8fca12