Malware Analysis Report

2025-08-06 02:50

Sample ID 241015-xfxzvs1aqb
Target 496f1defa92daf684818e5d161c71e8b_JaffaCakes118
SHA256 745115e5515092ad108ad14211fc1f03e0dd4730bfeb79b5fadd753a4ba14f36
Tags
credential_access defense_evasion discovery evasion persistence privilege_escalation stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

745115e5515092ad108ad14211fc1f03e0dd4730bfeb79b5fadd753a4ba14f36

Threat Level: Known bad

The file 496f1defa92daf684818e5d161c71e8b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

credential_access defense_evasion discovery evasion persistence privilege_escalation stealer trojan

Windows security bypass

Modifies security service

Sets service image path in registry

Modifies system executable filetype association

Credentials from Password Stores: Windows Credential Manager

Executes dropped EXE

Loads dropped DLL

Deletes itself

Indicator Removal: Clear Windows Event Logs

Checks registry for disk virtualization

Maps connected drives based on registry

Drops desktop.ini file(s)

Enumerates connected drives

Checks installed software on the system

Drops file in System32 directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Event Triggered Execution: Netsh Helper DLL

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Modifies Internet Explorer settings

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Checks processor information in registry

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 18:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 18:48

Reported

2024-10-15 18:50

Platform

win7-20240903-en

Max time kernel

149s

Max time network

143s

Command Line

C:\Windows\system32\svchost.exe -k NetworkService

Signatures

Modifies security service

evasion
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP N/A N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\system32\svchost.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\userinit\ImagePath = "\\\\.\\globalroot\\systemroot\\system32\\usеrinit.exe" \??\globalroot\systemroot\system32\usеrinit.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\globalroot\systemroot\system32\usеrinit.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"exefile\" /shell <%1> %*" C:\Windows\system32\svchost.exe N/A

Checks installed software on the system

discovery

Checks registry for disk virtualization

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI\Disk&Ven_Dell&Prod_VIRTUAL_DISK C:\Windows\system32\svchost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8NROS34R\desktop.ini N/A N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini N/A N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HWUYADN5\desktop.ini N/A N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WY6T2DFU\desktop.ini N/A N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y3Z0XF05\desktop.ini N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\svchost.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\system32\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT \??\globalroot\systemroot\system32\usеrinit.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT C:\Windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2640 set thread context of 2696 N/A C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2808 set thread context of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe

Browser Information Discovery

discovery

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\system32\svchost.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Nls\Language C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Nls\Language C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI\Disk&Ven_Dell&Prod_VIRTUAL_DISK C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI C:\Windows\system32\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\system32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000d1df066d4f56d9994131b2b945d2c30fcf0d86b14dc56014dff510184722cd2b000000000e8000000002000020000000e92122932cff679b444d4960a7927f122c0899edc1995333b40d35ad61fe4e66900000007f11f5887b6de4ac9f964526310579dfdc2ed0b6281a7c64d4c915efe734fca138c4aec3b4b257c8bff815c402e2031f19edf9d7834a664b31fb6b6038a043e0270466f3019275c18546181b0337801cbdfcbddee18aacdcd808d15906ee2cd315262e457dff26a762b11df6b3bb295d7679db3a5b2e457c698ea2f86e825fd908e36006323d5879fd86ee253be2b57e40000000bb5717d605c313f4affba544125b75885c0bb78b2819b8f0c79422a2f39472ab91f84fa2832e10017d5f61f2a6ff05188273ed3c9818605361a22d0e292edde9 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000006b81f76b2b25b973d213c1ee6cd6e8a8b0b1ecd7023883706c88c93cffa72441000000000e80000000020000200000006a426de4ae0f7ba5dad4826102dd71aa4a6dc26f79966cdcaf5b3fc7c751fb5d20000000c273f0dbba6b22deb8a8856c492f379810aae1f5e408c21b2827acedab75e16e40000000209eb58eef4bc8c6b40fb5a4016be64fbaa1ac1459c7d0485d9fde8e08779a4deb355976b5f3372d467d4e054d165630b0edc2cd5eb4f7bf759721be2b4954e5 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0078525331fdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{50DDF3E1-8B26-11EF-A742-6E295C7D81A3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-95-6d-94-bc-6f\WpadDecisionTime = 60f893df321fdb01 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" \??\globalroot\systemroot\system32\usеrinit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{687FF929-9171-4A34-920E-236F73574715}\7a-95-6d-94-bc-6f C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ \??\globalroot\systemroot\system32\usеrinit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{687FF929-9171-4A34-920E-236F73574715}\WpadNetworkName = "Network 3" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main \??\globalroot\systemroot\system32\usеrinit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{687FF929-9171-4A34-920E-236F73574715}\WpadDecision = "0" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{687FF929-9171-4A34-920E-236F73574715} C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{687FF929-9171-4A34-920E-236F73574715}\WpadDecisionReason = "1" C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{687FF929-9171-4A34-920E-236F73574715}\WpadDecisionTime = 60f893df321fdb01 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" \??\globalroot\systemroot\system32\usеrinit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-95-6d-94-bc-6f C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-95-6d-94-bc-6f\WpadDecisionReason = "1" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-95-6d-94-bc-6f\WpadDecision = "0" C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \registry\machine\Software\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55} C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "131087" C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe N/A
Key created \registry\machine\Software\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55} C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "131087" C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe N/A
Key created \registry\machine\Software\Classes\Interface\{507e1fac-b73d-1bbf-56af-f783afcbf39c} C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"exefile\" /shell <%1> %*" C:\Windows\system32\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A \??\globalroot\systemroot\system32\usеrinit.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeAssignPrimaryTokenPrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeTakeOwnershipPrivilege N/A N/A N/A
Token: SeLoadDriverPrivilege N/A N/A N/A
Token: SeSystemtimePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A N/A N/A
Token: SeUndockPrivilege N/A N/A N/A
Token: SeManageVolumePrivilege N/A N/A N/A
Token: SeAssignPrimaryTokenPrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeTakeOwnershipPrivilege N/A N/A N/A
Token: SeLoadDriverPrivilege N/A N/A N/A
Token: SeSystemtimePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A N/A N/A
Token: SeUndockPrivilege N/A N/A N/A
Token: SeManageVolumePrivilege N/A N/A N/A
Token: SeAssignPrimaryTokenPrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeTakeOwnershipPrivilege N/A N/A N/A
Token: SeLoadDriverPrivilege N/A N/A N/A
Token: SeSystemtimePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A N/A N/A
Token: SeUndockPrivilege N/A N/A N/A
Token: SeManageVolumePrivilege N/A N/A N/A
Token: SeAssignPrimaryTokenPrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeTakeOwnershipPrivilege N/A N/A N/A
Token: SeLoadDriverPrivilege N/A N/A N/A
Token: SeSystemtimePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A N/A N/A
Token: SeUndockPrivilege N/A N/A N/A
Token: SeManageVolumePrivilege N/A N/A N/A
Token: SeAssignPrimaryTokenPrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeTakeOwnershipPrivilege N/A N/A N/A
Token: SeLoadDriverPrivilege N/A N/A N/A
Token: SeSystemtimePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2640 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe \??\globalroot\systemroot\system32\usеrinit.exe
PID 2640 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe \??\globalroot\systemroot\system32\usеrinit.exe
PID 2640 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe \??\globalroot\systemroot\system32\usеrinit.exe
PID 2640 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe \??\globalroot\systemroot\system32\usеrinit.exe
PID 2796 wrote to memory of 2808 N/A \??\globalroot\systemroot\system32\usеrinit.exe C:\Windows\system32\svchost.exe
PID 2796 wrote to memory of 2808 N/A \??\globalroot\systemroot\system32\usеrinit.exe C:\Windows\system32\svchost.exe
PID 2796 wrote to memory of 2808 N/A \??\globalroot\systemroot\system32\usеrinit.exe C:\Windows\system32\svchost.exe
PID 2796 wrote to memory of 2808 N/A \??\globalroot\systemroot\system32\usеrinit.exe C:\Windows\system32\svchost.exe
PID 2796 wrote to memory of 2808 N/A \??\globalroot\systemroot\system32\usеrinit.exe C:\Windows\system32\svchost.exe
PID 2808 wrote to memory of 268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 332 wrote to memory of 2512 N/A N/A C:\Windows\system32\wbem\wmiprvse.exe
PID 332 wrote to memory of 2512 N/A N/A C:\Windows\system32\wbem\wmiprvse.exe
PID 608 wrote to memory of 2512 N/A N/A C:\Windows\system32\wbem\wmiprvse.exe
PID 608 wrote to memory of 2512 N/A N/A C:\Windows\system32\wbem\wmiprvse.exe
PID 608 wrote to memory of 2512 N/A N/A C:\Windows\system32\wbem\wmiprvse.exe
PID 388 wrote to memory of 2292 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 388 wrote to memory of 2292 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 2808 wrote to memory of 2292 N/A C:\Windows\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2808 wrote to memory of 2292 N/A C:\Windows\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2808 wrote to memory of 2292 N/A C:\Windows\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 388 wrote to memory of 2292 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 388 wrote to memory of 2292 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 388 wrote to memory of 2292 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 388 wrote to memory of 552 N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 388 wrote to memory of 552 N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 388 wrote to memory of 552 N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 388 wrote to memory of 552 N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2292 wrote to memory of 552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2292 wrote to memory of 552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2292 wrote to memory of 552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2292 wrote to memory of 552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 388 wrote to memory of 552 N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 388 wrote to memory of 552 N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 388 wrote to memory of 2292 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 388 wrote to memory of 552 N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 388 wrote to memory of 552 N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 388 wrote to memory of 552 N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 332 wrote to memory of 592 N/A N/A C:\Windows\system32\DllHost.exe
PID 608 wrote to memory of 592 N/A N/A C:\Windows\system32\DllHost.exe
PID 608 wrote to memory of 592 N/A N/A C:\Windows\system32\DllHost.exe
PID 608 wrote to memory of 592 N/A N/A C:\Windows\system32\DllHost.exe
PID 488 wrote to memory of 2292 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 488 wrote to memory of 2292 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 488 wrote to memory of 2292 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 488 wrote to memory of 2292 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 488 wrote to memory of 2292 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 488 wrote to memory of 2292 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 488 wrote to memory of 2292 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 488 wrote to memory of 2292 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 488 wrote to memory of 2292 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 388 wrote to memory of 2292 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

\??\globalroot\systemroot\system32\usеrinit.exe

/install

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://secure.exbilling.com/get/product.php?id=intsec&advert=131087&extern=0&lang=EN

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2292 CREDAT:275457 /prefetch:2

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

Network

Country Destination Domain Proto
NL 94.75.199.163:8083 tcp
NL 94.75.199.163:8083 tcp
NL 94.75.199.163:8083 tcp
NL 94.75.199.163:8083 tcp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.11:80 www.yahoo.com tcp
NL 88.208.21.219:8083 tcp
US 8.8.8.8:53 secure.exbilling.com udp

Files

memory/2640-1-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2640-2-0x0000000000400000-0x00000000004A6E00-memory.dmp

\Windows\System32\usеrinit.exe

MD5 4acd14244d2cd76d06939163127cfb10
SHA1 75f3e3c764f7d20c9950f5410f753f3210bcc2e7
SHA256 29b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb
SHA512 001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031

memory/2640-12-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2640-11-0x0000000000400000-0x00000000004A6E00-memory.dmp

\systemroot\system32\msiavjyv.dll

MD5 dc1277e7b67690d454af6bc63a10567a
SHA1 dd92ac19af235b659377688b5ff387ab45475c5b
SHA256 a281b3f4a1c161ec7a4de14d88b4a5709e5f712a1937e106478f19eb57c23cc4
SHA512 64f3d080b2d0388b5921ab1110ae69769456836193e56dc86e857886ed1f05c4508d8c319c4a5b22655f584c0d844447135596a350b68bcff38384bc393ee152

memory/2796-29-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

memory/2808-37-0x00000000000A0000-0x00000000000BA000-memory.dmp

memory/2808-32-0x00000000000A0000-0x00000000000BA000-memory.dmp

memory/2808-42-0x00000000000A0000-0x00000000000BA000-memory.dmp

memory/2808-47-0x00000000000A0000-0x00000000000BA000-memory.dmp

memory/268-50-0x0000000000DF0000-0x0000000000DF6000-memory.dmp

memory/268-58-0x0000000000DF0000-0x0000000000DF6000-memory.dmp

memory/268-54-0x0000000000DF0000-0x0000000000DF6000-memory.dmp

memory/268-49-0x0000000000DD0000-0x0000000000DD3000-memory.dmp

memory/2808-59-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

memory/2808-79-0x00000000000A0000-0x00000000000BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{E9C1E0AC-C9B1-4c85-94DE-9C1518918D02}.tlb

MD5 63881935b6ff930a39df13a27c18c3f5
SHA1 d5464ca24d61b2efb562b1b4f4e0bef69c94cf04
SHA256 50d712b007a3339855619a4ad283661c07e13ec0a74465ea3d121439005cd1e5
SHA512 011d0307d088ac7a691ff504f8c3e99a06097fc27e10d40d62721cf6c6d0500120d040a7d32fd10aa50aeef1ef12be67501fff122bed129a354fb57c213a0ed9

C:\Windows\System32\exefile.exe

MD5 33d277c7477cedb2644df98b7a06a64d
SHA1 3a01e8ef0ac09348c9f282cb7380c5670e950178
SHA256 b46c95f1ad6bc432d029288e40d570cc3db24b92d8d5dd1f05f7784a23db64d9
SHA512 343e2f9fd67188d91cb13d423d01700af15ab8e50538f9356e3985a8acd2d73c1dd4c2256d426ae04eea957a5083e8720a166a0d278386a9d9fc011e5014a6bc

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx

MD5 f76794743b87c6704ef54f548bc4640d
SHA1 2f64a17121772839350513b88b29362e0f6d5322
SHA256 4df6e2656c52ac5172b60c363eb637ffca80676dc43e4a3f04792067250efcee
SHA512 b762d80c62f31941396abca602f908b75ccc6805aea3491698b6daba86adb3b9a21fe6f7a4a01fe20d7273b63d11d1b5012fbf2b3b27afdb9a8bd7c7700621bd

memory/2808-281-0x00000000000A0000-0x00000000000BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC63F.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarC6AF.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e04df4d0e3a2822ef8080f38c0ab2b37
SHA1 7413938e2481805fbcf0d5e59cb2c483cf36abe8
SHA256 953e62a81391a16d74301704e2b48abacf7caf7331f6544574604f0e55866945
SHA512 f1d142e81457b7d3e44573db89decb80fd873a58b7e21ef4f254ed9d2bff31d9b071fbd806e7535f0c66fc36c27a300f8c81c3f77c30ab772f73843365c097c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae3bc922b706d88d7dd0676329dc7ab2
SHA1 19b546ddc19f69bf0447065c0e8b773adcbcfb0e
SHA256 e3bfa9fdfb7d893928182bc85a1442fb93e725a8d94b65dea3a1b1c23d108bd7
SHA512 bd454c87115b8a6730630bf87be0fd5736b1e26b5e51141d7371eeda8c7820e00403b149ae77a52196eed731df2a37a23324858828a9dfdd36ada2aa18cd2f95

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 996fd57d8c1f15ffeaf6b11dd539996f
SHA1 a8d4e909c53a6309be2a46b0b7f29f804a65b4c2
SHA256 8804cf908633976ba8bbd8a3a957e0500edfef80f9b276a104f235fd90d000a7
SHA512 3685d260315066738f54b6ebce7417e573271a1fbfca48fc120dfd1de6e151a505b7e1a98d72acbf4643e66e0b2c2ee58caba6903364a5aea3a718c24f23ca89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a0c34b7800455ce71c024106690779f
SHA1 81c013616d2a5940597fe5bb959ea3f06188889e
SHA256 505cde7fc413a7bcbfec990a8dbacd4c6bd54caefa5007570085128db68e774b
SHA512 76f3078855daaae909e866a400740fc2af14c099311f263af03e4932280acccbdcf6a7b211b85b30cda9d52380cfb6f4b86c50993b6091f245440e962df1e594

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72cf8a79616709a415d151d48919a386
SHA1 4c49ed10900806d51c0d33bd4b84da5b7dd2606a
SHA256 0922d6c7f9e7597ca3489db9814b2a148fab453c1e1996b419ec1d98c39cfcd8
SHA512 3051b069b1db76ce923c92ae845da32693286c5bf968af625e96dcbafb0b0c12855ce3aa72c630f23eabdb4c6edd7f2a434f1f57013eac6829ba9c8d05ce1ab0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31d423e32c90515547e3437f04fb075b
SHA1 8576b0ecaf0490f29761578d5f804fa3385510ac
SHA256 48be57868dd26e259c87a3e0af1105ab3565a32183d62c9ab138d6e4ac701a90
SHA512 8fbed755dd6882e6110ed50b2cae5d50af519d6dea2f82a34517faa92c2c758e697e7e84ebdf872feae34d55830b951a72dc362e9632d9c6478a63aba80ede33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 332764916617e1b7d9cd5cdfc98c87a0
SHA1 b0ec320bafebfb3294ca8da3bda286288a416581
SHA256 c3d13dd2c97e78b9ef462b42109df797dbdb0fa43072437d52f8a150d7668159
SHA512 c5d4ea431e573e466c79686fbc81015d9f1971ef6c1046b4adca94464eca9c540571197bf52b7939b06744c108156db00ee56f725ca66d0729070d5d446125ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42b06110edf22de7faa46c9fc55ee57e
SHA1 7d1f8a661eed9b00fc5202ccba85e32b49f69fe5
SHA256 117b60e0b0ccac0255e34bfdf4da193c02b921f71e908d672dfd045951eafe46
SHA512 bf3d2d7457b3a9ada630f6106e6206d7f54209a7a93b1fba1662e90eb1e055ebf7f7cf9aa1cd2ecfbdff2bc717076cb94640310c4bfdcb405a21d24a6c3a51c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a642a9b802b09c5735db1b6f59dfb06b
SHA1 a36ac43267b27a3cab1f73bb7950753108268807
SHA256 8ca4be3647c2d25fe0b718b6dc28c2660187fdad03d1d7ebd4a1896ab8e74284
SHA512 f43b20d7fc5e160abf1ff2f4829bc1f9af5caaf871c2af6e849be25d3e51bfd0f042307c3d2da488c3dc02244937adcc3d54737b11442f02fbe2cf3981e8e993

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 18:48

Reported

2024-10-15 18:50

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\globalroot\systemroot\system32\usеrinit.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4472 set thread context of 2564 N/A C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{f456cbc2-bfc5-6f65-aca0-986e7eba0308}\u = "131087" C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe N/A
Key created \registry\machine\Software\Classes\WOW6432Node\Interface\{f456cbc2-bfc5-6f65-aca0-986e7eba0308} C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{f456cbc2-bfc5-6f65-aca0-986e7eba0308}\u = "131087" C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe N/A
Key created \registry\machine\Software\Classes\Interface\{f456cbc2-bfc5-6f65-aca0-986e7eba0308} C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\globalroot\systemroot\system32\usеrinit.exe N/A
N/A N/A \??\globalroot\systemroot\system32\usеrinit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A \??\globalroot\systemroot\system32\usеrinit.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

\??\globalroot\systemroot\system32\usеrinit.exe

/install

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 94.75.199.163:8083 tcp
NL 94.75.199.163:8083 tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4472-1-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4472-2-0x0000000000400000-0x00000000004A6E00-memory.dmp

C:\Windows\System32\usеrinit.exe

MD5 4acd14244d2cd76d06939163127cfb10
SHA1 75f3e3c764f7d20c9950f5410f753f3210bcc2e7
SHA256 29b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb
SHA512 001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031

memory/4472-11-0x0000000000400000-0x0000000000480000-memory.dmp

\systemroot\system32\mseeeeee.dll

MD5 00b7dcb1c108c6bf90e7e39967c1aefb
SHA1 4becd3315f45fd51d0cbfccbca5adcf67ca4981f
SHA256 bf2d44267ee00434ed7d6129f00e6c9544f3890e3a17f7b82522f3008cce703d
SHA512 4debf89c69f5e864e0195efda35968f2b5f95051f7ae9638484e000210ddb9f6dfc12cdfae08b0c20e12838e20a3cd26032e090ca4c6aeaa921982a204cc3cfb

memory/4472-12-0x0000000000400000-0x00000000004A6E00-memory.dmp