Analysis Overview
SHA256
745115e5515092ad108ad14211fc1f03e0dd4730bfeb79b5fadd753a4ba14f36
Threat Level: Known bad
The file 496f1defa92daf684818e5d161c71e8b_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Modifies security service
Sets service image path in registry
Modifies system executable filetype association
Credentials from Password Stores: Windows Credential Manager
Executes dropped EXE
Loads dropped DLL
Deletes itself
Indicator Removal: Clear Windows Event Logs
Checks registry for disk virtualization
Maps connected drives based on registry
Drops desktop.ini file(s)
Enumerates connected drives
Checks installed software on the system
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Event Triggered Execution: Netsh Helper DLL
Browser Information Discovery
System Location Discovery: System Language Discovery
Unsigned PE
Modifies Internet Explorer settings
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Checks processor information in registry
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious use of UnmapMainImage
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-15 18:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-15 18:48
Reported
2024-10-15 18:50
Platform
win7-20240903-en
Max time kernel
149s
Max time network
143s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP | N/A | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\system32\svchost.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\userinit\ImagePath = "\\\\.\\globalroot\\systemroot\\system32\\usеrinit.exe" | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"exefile\" /shell <%1> %*" | C:\Windows\system32\svchost.exe | N/A |
Checks installed software on the system
Checks registry for disk virtualization
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI\Disk&Ven_Dell&Prod_VIRTUAL_DISK | C:\Windows\system32\svchost.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8NROS34R\desktop.ini | N/A | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini | N/A | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HWUYADN5\desktop.ini | N/A | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WY6T2DFU\desktop.ini | N/A | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y3Z0XF05\desktop.ini | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\K: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\svchost.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\system32\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\system32\svchost.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Nls\Language | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Nls\Language | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI\Disk&Ven_Dell&Prod_VIRTUAL_DISK | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI | C:\Windows\system32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\system32\svchost.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\svchost.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000d1df066d4f56d9994131b2b945d2c30fcf0d86b14dc56014dff510184722cd2b000000000e8000000002000020000000e92122932cff679b444d4960a7927f122c0899edc1995333b40d35ad61fe4e66900000007f11f5887b6de4ac9f964526310579dfdc2ed0b6281a7c64d4c915efe734fca138c4aec3b4b257c8bff815c402e2031f19edf9d7834a664b31fb6b6038a043e0270466f3019275c18546181b0337801cbdfcbddee18aacdcd808d15906ee2cd315262e457dff26a762b11df6b3bb295d7679db3a5b2e457c698ea2f86e825fd908e36006323d5879fd86ee253be2b57e40000000bb5717d605c313f4affba544125b75885c0bb78b2819b8f0c79422a2f39472ab91f84fa2832e10017d5f61f2a6ff05188273ed3c9818605361a22d0e292edde9 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000006b81f76b2b25b973d213c1ee6cd6e8a8b0b1ecd7023883706c88c93cffa72441000000000e80000000020000200000006a426de4ae0f7ba5dad4826102dd71aa4a6dc26f79966cdcaf5b3fc7c751fb5d20000000c273f0dbba6b22deb8a8856c492f379810aae1f5e408c21b2827acedab75e16e40000000209eb58eef4bc8c6b40fb5a4016be64fbaa1ac1459c7d0485d9fde8e08779a4deb355976b5f3372d467d4e054d165630b0edc2cd5eb4f7bf759721be2b4954e5 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0078525331fdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{50DDF3E1-8B26-11EF-A742-6E295C7D81A3} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-95-6d-94-bc-6f\WpadDecisionTime = 60f893df321fdb01 | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{687FF929-9171-4A34-920E-236F73574715}\7a-95-6d-94-bc-6f | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{687FF929-9171-4A34-920E-236F73574715}\WpadNetworkName = "Network 3" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{687FF929-9171-4A34-920E-236F73574715}\WpadDecision = "0" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{687FF929-9171-4A34-920E-236F73574715} | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{687FF929-9171-4A34-920E-236F73574715}\WpadDecisionReason = "1" | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{687FF929-9171-4A34-920E-236F73574715}\WpadDecisionTime = 60f893df321fdb01 | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-95-6d-94-bc-6f | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-95-6d-94-bc-6f\WpadDecisionReason = "1" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-95-6d-94-bc-6f\WpadDecision = "0" | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \registry\machine\Software\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55} | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "131087" | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | N/A |
| Key created | \registry\machine\Software\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55} | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "131087" | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | N/A |
| Key created | \registry\machine\Software\Classes\Interface\{507e1fac-b73d-1bbf-56af-f783afcbf39c} | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"exefile\" /shell <%1> %*" | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | N/A | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | N/A | N/A |
| Token: SeLoadDriverPrivilege | N/A | N/A | N/A |
| Token: SeSystemtimePrivilege | N/A | N/A | N/A |
| Token: SeBackupPrivilege | N/A | N/A | N/A |
| Token: SeRestorePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | N/A | N/A |
| Token: SeUndockPrivilege | N/A | N/A | N/A |
| Token: SeManageVolumePrivilege | N/A | N/A | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | N/A | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | N/A | N/A |
| Token: SeLoadDriverPrivilege | N/A | N/A | N/A |
| Token: SeSystemtimePrivilege | N/A | N/A | N/A |
| Token: SeBackupPrivilege | N/A | N/A | N/A |
| Token: SeRestorePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | N/A | N/A |
| Token: SeUndockPrivilege | N/A | N/A | N/A |
| Token: SeManageVolumePrivilege | N/A | N/A | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | N/A | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | N/A | N/A |
| Token: SeLoadDriverPrivilege | N/A | N/A | N/A |
| Token: SeSystemtimePrivilege | N/A | N/A | N/A |
| Token: SeBackupPrivilege | N/A | N/A | N/A |
| Token: SeRestorePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | N/A | N/A |
| Token: SeUndockPrivilege | N/A | N/A | N/A |
| Token: SeManageVolumePrivilege | N/A | N/A | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | N/A | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | N/A | N/A |
| Token: SeLoadDriverPrivilege | N/A | N/A | N/A |
| Token: SeSystemtimePrivilege | N/A | N/A | N/A |
| Token: SeBackupPrivilege | N/A | N/A | N/A |
| Token: SeRestorePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | N/A | N/A |
| Token: SeUndockPrivilege | N/A | N/A | N/A |
| Token: SeManageVolumePrivilege | N/A | N/A | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | N/A | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | N/A | N/A |
| Token: SeLoadDriverPrivilege | N/A | N/A | N/A |
| Token: SeSystemtimePrivilege | N/A | N/A | N/A |
| Token: SeBackupPrivilege | N/A | N/A | N/A |
| Token: SeRestorePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
\??\globalroot\systemroot\system32\usеrinit.exe
/install
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://secure.exbilling.com/get/product.php?id=intsec&advert=131087&extern=0&lang=EN
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2292 CREDAT:275457 /prefetch:2
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
Network
| Country | Destination | Domain | Proto |
| NL | 94.75.199.163:8083 | tcp | |
| NL | 94.75.199.163:8083 | tcp | |
| NL | 94.75.199.163:8083 | tcp | |
| NL | 94.75.199.163:8083 | tcp | |
| US | 8.8.8.8:53 | www.yahoo.com | udp |
| GB | 87.248.114.11:80 | www.yahoo.com | tcp |
| NL | 88.208.21.219:8083 | tcp | |
| US | 8.8.8.8:53 | secure.exbilling.com | udp |
Files
memory/2640-1-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2640-2-0x0000000000400000-0x00000000004A6E00-memory.dmp
\Windows\System32\usеrinit.exe
| MD5 | 4acd14244d2cd76d06939163127cfb10 |
| SHA1 | 75f3e3c764f7d20c9950f5410f753f3210bcc2e7 |
| SHA256 | 29b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb |
| SHA512 | 001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031 |
memory/2640-12-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2640-11-0x0000000000400000-0x00000000004A6E00-memory.dmp
\systemroot\system32\msiavjyv.dll
| MD5 | dc1277e7b67690d454af6bc63a10567a |
| SHA1 | dd92ac19af235b659377688b5ff387ab45475c5b |
| SHA256 | a281b3f4a1c161ec7a4de14d88b4a5709e5f712a1937e106478f19eb57c23cc4 |
| SHA512 | 64f3d080b2d0388b5921ab1110ae69769456836193e56dc86e857886ed1f05c4508d8c319c4a5b22655f584c0d844447135596a350b68bcff38384bc393ee152 |
memory/2796-29-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp
memory/2808-37-0x00000000000A0000-0x00000000000BA000-memory.dmp
memory/2808-32-0x00000000000A0000-0x00000000000BA000-memory.dmp
memory/2808-42-0x00000000000A0000-0x00000000000BA000-memory.dmp
memory/2808-47-0x00000000000A0000-0x00000000000BA000-memory.dmp
memory/268-50-0x0000000000DF0000-0x0000000000DF6000-memory.dmp
memory/268-58-0x0000000000DF0000-0x0000000000DF6000-memory.dmp
memory/268-54-0x0000000000DF0000-0x0000000000DF6000-memory.dmp
memory/268-49-0x0000000000DD0000-0x0000000000DD3000-memory.dmp
memory/2808-59-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp
memory/2808-79-0x00000000000A0000-0x00000000000BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{E9C1E0AC-C9B1-4c85-94DE-9C1518918D02}.tlb
| MD5 | 63881935b6ff930a39df13a27c18c3f5 |
| SHA1 | d5464ca24d61b2efb562b1b4f4e0bef69c94cf04 |
| SHA256 | 50d712b007a3339855619a4ad283661c07e13ec0a74465ea3d121439005cd1e5 |
| SHA512 | 011d0307d088ac7a691ff504f8c3e99a06097fc27e10d40d62721cf6c6d0500120d040a7d32fd10aa50aeef1ef12be67501fff122bed129a354fb57c213a0ed9 |
C:\Windows\System32\exefile.exe
| MD5 | 33d277c7477cedb2644df98b7a06a64d |
| SHA1 | 3a01e8ef0ac09348c9f282cb7380c5670e950178 |
| SHA256 | b46c95f1ad6bc432d029288e40d570cc3db24b92d8d5dd1f05f7784a23db64d9 |
| SHA512 | 343e2f9fd67188d91cb13d423d01700af15ab8e50538f9356e3985a8acd2d73c1dd4c2256d426ae04eea957a5083e8720a166a0d278386a9d9fc011e5014a6bc |
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx
| MD5 | f76794743b87c6704ef54f548bc4640d |
| SHA1 | 2f64a17121772839350513b88b29362e0f6d5322 |
| SHA256 | 4df6e2656c52ac5172b60c363eb637ffca80676dc43e4a3f04792067250efcee |
| SHA512 | b762d80c62f31941396abca602f908b75ccc6805aea3491698b6daba86adb3b9a21fe6f7a4a01fe20d7273b63d11d1b5012fbf2b3b27afdb9a8bd7c7700621bd |
memory/2808-281-0x00000000000A0000-0x00000000000BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabC63F.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarC6AF.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e04df4d0e3a2822ef8080f38c0ab2b37 |
| SHA1 | 7413938e2481805fbcf0d5e59cb2c483cf36abe8 |
| SHA256 | 953e62a81391a16d74301704e2b48abacf7caf7331f6544574604f0e55866945 |
| SHA512 | f1d142e81457b7d3e44573db89decb80fd873a58b7e21ef4f254ed9d2bff31d9b071fbd806e7535f0c66fc36c27a300f8c81c3f77c30ab772f73843365c097c0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ae3bc922b706d88d7dd0676329dc7ab2 |
| SHA1 | 19b546ddc19f69bf0447065c0e8b773adcbcfb0e |
| SHA256 | e3bfa9fdfb7d893928182bc85a1442fb93e725a8d94b65dea3a1b1c23d108bd7 |
| SHA512 | bd454c87115b8a6730630bf87be0fd5736b1e26b5e51141d7371eeda8c7820e00403b149ae77a52196eed731df2a37a23324858828a9dfdd36ada2aa18cd2f95 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 996fd57d8c1f15ffeaf6b11dd539996f |
| SHA1 | a8d4e909c53a6309be2a46b0b7f29f804a65b4c2 |
| SHA256 | 8804cf908633976ba8bbd8a3a957e0500edfef80f9b276a104f235fd90d000a7 |
| SHA512 | 3685d260315066738f54b6ebce7417e573271a1fbfca48fc120dfd1de6e151a505b7e1a98d72acbf4643e66e0b2c2ee58caba6903364a5aea3a718c24f23ca89 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5a0c34b7800455ce71c024106690779f |
| SHA1 | 81c013616d2a5940597fe5bb959ea3f06188889e |
| SHA256 | 505cde7fc413a7bcbfec990a8dbacd4c6bd54caefa5007570085128db68e774b |
| SHA512 | 76f3078855daaae909e866a400740fc2af14c099311f263af03e4932280acccbdcf6a7b211b85b30cda9d52380cfb6f4b86c50993b6091f245440e962df1e594 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 72cf8a79616709a415d151d48919a386 |
| SHA1 | 4c49ed10900806d51c0d33bd4b84da5b7dd2606a |
| SHA256 | 0922d6c7f9e7597ca3489db9814b2a148fab453c1e1996b419ec1d98c39cfcd8 |
| SHA512 | 3051b069b1db76ce923c92ae845da32693286c5bf968af625e96dcbafb0b0c12855ce3aa72c630f23eabdb4c6edd7f2a434f1f57013eac6829ba9c8d05ce1ab0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 31d423e32c90515547e3437f04fb075b |
| SHA1 | 8576b0ecaf0490f29761578d5f804fa3385510ac |
| SHA256 | 48be57868dd26e259c87a3e0af1105ab3565a32183d62c9ab138d6e4ac701a90 |
| SHA512 | 8fbed755dd6882e6110ed50b2cae5d50af519d6dea2f82a34517faa92c2c758e697e7e84ebdf872feae34d55830b951a72dc362e9632d9c6478a63aba80ede33 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 332764916617e1b7d9cd5cdfc98c87a0 |
| SHA1 | b0ec320bafebfb3294ca8da3bda286288a416581 |
| SHA256 | c3d13dd2c97e78b9ef462b42109df797dbdb0fa43072437d52f8a150d7668159 |
| SHA512 | c5d4ea431e573e466c79686fbc81015d9f1971ef6c1046b4adca94464eca9c540571197bf52b7939b06744c108156db00ee56f725ca66d0729070d5d446125ff |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 42b06110edf22de7faa46c9fc55ee57e |
| SHA1 | 7d1f8a661eed9b00fc5202ccba85e32b49f69fe5 |
| SHA256 | 117b60e0b0ccac0255e34bfdf4da193c02b921f71e908d672dfd045951eafe46 |
| SHA512 | bf3d2d7457b3a9ada630f6106e6206d7f54209a7a93b1fba1662e90eb1e055ebf7f7cf9aa1cd2ecfbdff2bc717076cb94640310c4bfdcb405a21d24a6c3a51c6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a642a9b802b09c5735db1b6f59dfb06b |
| SHA1 | a36ac43267b27a3cab1f73bb7950753108268807 |
| SHA256 | 8ca4be3647c2d25fe0b718b6dc28c2660187fdad03d1d7ebd4a1896ab8e74284 |
| SHA512 | f43b20d7fc5e160abf1ff2f4829bc1f9af5caaf871c2af6e849be25d3e51bfd0f042307c3d2da488c3dc02244937adcc3d54737b11442f02fbe2cf3981e8e993 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-15 18:48
Reported
2024-10-15 18:50
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
123s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4472 set thread context of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{f456cbc2-bfc5-6f65-aca0-986e7eba0308}\u = "131087" | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | N/A |
| Key created | \registry\machine\Software\Classes\WOW6432Node\Interface\{f456cbc2-bfc5-6f65-aca0-986e7eba0308} | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{f456cbc2-bfc5-6f65-aca0-986e7eba0308}\u = "131087" | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | N/A |
| Key created | \registry\machine\Software\Classes\Interface\{f456cbc2-bfc5-6f65-aca0-986e7eba0308} | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4472 wrote to memory of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4472 wrote to memory of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4472 wrote to memory of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4472 wrote to memory of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4472 wrote to memory of 2452 | N/A | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | \??\globalroot\systemroot\system32\usеrinit.exe |
| PID 4472 wrote to memory of 2452 | N/A | C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe | \??\globalroot\systemroot\system32\usеrinit.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
\??\globalroot\systemroot\system32\usеrinit.exe
/install
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| NL | 94.75.199.163:8083 | tcp | |
| NL | 94.75.199.163:8083 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/4472-1-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4472-2-0x0000000000400000-0x00000000004A6E00-memory.dmp
C:\Windows\System32\usеrinit.exe
| MD5 | 4acd14244d2cd76d06939163127cfb10 |
| SHA1 | 75f3e3c764f7d20c9950f5410f753f3210bcc2e7 |
| SHA256 | 29b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb |
| SHA512 | 001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031 |
memory/4472-11-0x0000000000400000-0x0000000000480000-memory.dmp
\systemroot\system32\mseeeeee.dll
| MD5 | 00b7dcb1c108c6bf90e7e39967c1aefb |
| SHA1 | 4becd3315f45fd51d0cbfccbca5adcf67ca4981f |
| SHA256 | bf2d44267ee00434ed7d6129f00e6c9544f3890e3a17f7b82522f3008cce703d |
| SHA512 | 4debf89c69f5e864e0195efda35968f2b5f95051f7ae9638484e000210ddb9f6dfc12cdfae08b0c20e12838e20a3cd26032e090ca4c6aeaa921982a204cc3cfb |
memory/4472-12-0x0000000000400000-0x00000000004A6E00-memory.dmp