Analysis
-
max time kernel
147s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/10/2024, 23:13
Behavioral task
behavioral1
Sample
4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe
-
Size
87KB
-
MD5
4f8b232e9457f18be375b581686fa3b1
-
SHA1
9b23300034ef4da04d59b0e1c769b47e196759e6
-
SHA256
1ad13998ccd9c464bcc99a520821b67c24fdb2268bfa9fe4c5cc85dc16ead024
-
SHA512
d7f310143860b44713047aa174066450ab02739fda1b15ede3555a3d3a43d039aa632ecf710e82bb56fd6b6e64297c6f78f847f88344d114e5353c9a7fd9a375
-
SSDEEP
1536:56jasnxpEezz5/6HEaPu1dMCzeUlrLNPl5bsfd1MCNFkmhuvfjUWhvjvD/9VPORo:56jasnx7zz5/6HEGuP1aUXNvE1TPkm8b
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Dofake.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Dofake.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 6 2144 rundll32.exe -
Deletes itself 1 IoCs
pid Process 1016 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2824 Dofake.exe 2816 cpa_1.exe -
Loads dropped DLL 10 IoCs
pid Process 2576 regsvr32.exe 2144 rundll32.exe 2144 rundll32.exe 2144 rundll32.exe 2144 rundll32.exe 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 2732 regsvr32.exe 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: Dofake.exe File opened (read-only) \??\I: Dofake.exe File opened (read-only) \??\J: Dofake.exe File opened (read-only) \??\K: Dofake.exe File opened (read-only) \??\L: Dofake.exe File opened (read-only) \??\M: Dofake.exe File opened (read-only) \??\E: Dofake.exe File opened (read-only) \??\G: Dofake.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6E28339B-7A2A-47B6-AEB2-46BA53782379} regsvr32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\ccy5750.dll 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe File created C:\Windows\SysWOW64\dllcache\ccy5750.dll 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe File created C:\Windows\SysWOW64\ydile.dll 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe File created C:\Windows\SysWOW64\Dofake.exe 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe File created C:\Windows\SysWOW64\taoba_1.dll 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe File created C:\Windows\SysWOW64\cpa_1.exe 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/1856-0-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/1856-10-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/1856-44-0x0000000000400000-0x0000000000459000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dofake.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpa_1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ = "C:\\Windows\\SysWow64\\ydile.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE.1\ = "EyeOnIE Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\ = "EyeOnIE Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\ = "ATlMy Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ = "IATlMy" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CLSID\ = "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ = "IATlMy" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\taoba_1.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib\ = "{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\ProgID\ = "BhoPlugin.EyeOnIE.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID\ = "TestAtl.ATlMy" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\InprocServer32\ = "C:\\Windows\\SysWow64\\taoba_1.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\ = "BhoPlugin 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ProgID\ = "TestAtl.ATlMy.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\HELPDIR\ = "C:\\Windows\\System32" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib\ = "{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\ydile.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\TypeLib\ = "{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ = "ATlMy Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE.1\CLSID\ = "{6E28339B-7A2A-47B6-AEB2-46BA53782379}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\CLSID\ = "{6E28339B-7A2A-47B6-AEB2-46BA53782379}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\CurVer\ = "BhoPlugin.EyeOnIE.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\ = "EyeOnIE Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32 regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2816 cpa_1.exe 2816 cpa_1.exe 2816 cpa_1.exe 2816 cpa_1.exe 2816 cpa_1.exe 2144 rundll32.exe 2816 cpa_1.exe 2816 cpa_1.exe 2816 cpa_1.exe 2816 cpa_1.exe 2816 cpa_1.exe 2816 cpa_1.exe 2816 cpa_1.exe 2816 cpa_1.exe 2816 cpa_1.exe 2816 cpa_1.exe 2816 cpa_1.exe 2816 cpa_1.exe 2816 cpa_1.exe 2816 cpa_1.exe 2816 cpa_1.exe 2816 cpa_1.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 2824 Dofake.exe 2816 cpa_1.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1856 wrote to memory of 2576 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 30 PID 1856 wrote to memory of 2576 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 30 PID 1856 wrote to memory of 2576 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 30 PID 1856 wrote to memory of 2576 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 30 PID 1856 wrote to memory of 2576 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 30 PID 1856 wrote to memory of 2576 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 30 PID 1856 wrote to memory of 2576 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 30 PID 1856 wrote to memory of 2144 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 31 PID 1856 wrote to memory of 2144 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 31 PID 1856 wrote to memory of 2144 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 31 PID 1856 wrote to memory of 2144 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 31 PID 1856 wrote to memory of 2144 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 31 PID 1856 wrote to memory of 2144 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 31 PID 1856 wrote to memory of 2144 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 31 PID 1856 wrote to memory of 2824 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 33 PID 1856 wrote to memory of 2824 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 33 PID 1856 wrote to memory of 2824 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 33 PID 1856 wrote to memory of 2824 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 33 PID 1856 wrote to memory of 2732 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 34 PID 1856 wrote to memory of 2732 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 34 PID 1856 wrote to memory of 2732 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 34 PID 1856 wrote to memory of 2732 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 34 PID 1856 wrote to memory of 2732 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 34 PID 1856 wrote to memory of 2732 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 34 PID 1856 wrote to memory of 2732 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 34 PID 1856 wrote to memory of 2816 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 35 PID 1856 wrote to memory of 2816 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 35 PID 1856 wrote to memory of 2816 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 35 PID 1856 wrote to memory of 2816 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 35 PID 2816 wrote to memory of 2768 2816 cpa_1.exe 36 PID 2816 wrote to memory of 2768 2816 cpa_1.exe 36 PID 2816 wrote to memory of 2768 2816 cpa_1.exe 36 PID 2816 wrote to memory of 2768 2816 cpa_1.exe 36 PID 2632 wrote to memory of 1644 2632 explorer.exe 38 PID 2632 wrote to memory of 1644 2632 explorer.exe 38 PID 2632 wrote to memory of 1644 2632 explorer.exe 38 PID 1856 wrote to memory of 1016 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 40 PID 1856 wrote to memory of 1016 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 40 PID 1856 wrote to memory of 1016 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 40 PID 1856 wrote to memory of 1016 1856 4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4f8b232e9457f18be375b581686fa3b1_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\System32\ydile.dll2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2576
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 ccy5750.dll , InstallMyDll2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2144
-
-
C:\Windows\SysWOW64\Dofake.exeC:\Windows\System32\Dofake.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2824
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\System32\taoba_1.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2732
-
-
C:\Windows\SysWOW64\cpa_1.exeC:\Windows\System32\cpa_1.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\explorer.exeexplorer3⤵
- System Location Discovery: System Language Discovery
PID:2768
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c 375519961O57540.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1016
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\system32\ctfmon.exectfmon.exe2⤵PID:1644
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
4Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5682fd3a4162e12281a52a7a43df4d2f9
SHA1d4e51b0efecbb7f0115bc4a8a4dfd45d277d165a
SHA256d56a3c7d69756a627e20577f1cf888cddd8741c69947662c2817d2623f6caa75
SHA512759c30ebce7e5c96eb5b0a829b58e1586880cb0db31c89836cbce8d73f475eeeb5ebf3e0bff2ea6ebc0b02fe58eae28b2d7f55059227e314754ccfa0e962bd53
-
Filesize
112KB
MD5eab4d3ae8c9f2ba262802b21b96d99fa
SHA1e66f6b9b9f272238514dd8242d9ce9ba2c73ff04
SHA25655ae6670a0f1f69354883e67c5ed9c216dcd7bf133108bda8cfa308e916cad4b
SHA5125a50d643c5f10935a1c9561a4aba1b3b860f45b1a741f8ad58e6b6ed1f254cc82456e1f23dd4a6416ee81e5d681ac0f86022204ec11f4daa0686b9b2997978e8
-
Filesize
32KB
MD592d98e99b7f407edf3f22112b4820334
SHA11644c2f67918ffdd267cdd554a3ffe3e9ea542ea
SHA2568b271999d7cf97556a64a22e4603a8def932515c2131ca05eb48809de481b703
SHA512a71c07ef0082337fc99587354dc5a169ee2c8fd6d57edf430aae2cfa40f15f57e60f9c9b35b2e2f7550a19cd0271f50849ae4af1f40c54083d28a042b4468ba6
-
Filesize
56KB
MD5f0508d5e39bfed1f9f5b5ae9a062ea6e
SHA132c16f35f62d4a2d30f7dce507bee850f029ef7a
SHA256a85c7d3290a25a44be1f858521da0e777ae62a44ddc0a0f18113ef55549d8a19
SHA5121cc766b0b289eda8651509d7843be239ef04612b74f8f22552c643543ebafde6b65919b37c3a0b5da8a496eeab5d1ffff12702a1b0d3da5d1a651c8700a4bd29
-
Filesize
72KB
MD55aebe3daaaa5b3101c10faf213f362e2
SHA1e14eca13088bdf2e717b3f77273da8c6bd58c7f1
SHA25697c4d2f5b7d41bfe67b5c1f7177cbb04628a9a5d09d21c1d0f2e6865843d56c7
SHA51238707a3d8ef5b3407accb3caf8ec807bc509d7cc9af6f73998b99cec2dc2489140924c9038258620cb80662ff0e604455380ad9c80625e3b66a7cad1b74d329f
-
Filesize
36KB
MD5481d889fdf7c229a0cbee2a4306bdec8
SHA13dd11c05e2c574083a88ec5ce02af3c24ef27dd4
SHA256038ce6624bd5ba6a7f2d416b0f9b6aa4147efa896c757ebcbb450fde22bb0226
SHA5121a778d97c3b5bda0e7a5d7097631e192a014daab11180646510b59d498a8aa2638d672785daeb410ff38715a399ac306abc5b303d18b93194218dd48174dcc10