Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 22:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe
-
Size
232KB
-
MD5
53f22538d90e23e311265cf9f948f772
-
SHA1
af79ad12b3597d5dda7cb2b6c992fc67ea0e2306
-
SHA256
fb21688fff23ffa928a80384f0f467e1ca3dc4145153e6c9a82cc5a21fca8d3a
-
SHA512
ae3064f172066ccacf23a5a1dd2daf5d42129bc2d3fd7d4e76d8abf221ed0437c5865b0c3045260437f13cac511784664638ba4717afdcb4b05650dc5bb9674e
-
SSDEEP
6144:z2JR6jBaplmtyCrAotVvp+/cWD0QBZeP2ljm:SJwd9y4JtVvp+EdOeP
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qr5i4eI0.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" touvea.exe -
Deletes itself 1 IoCs
pid Process 2100 cmd.exe -
Executes dropped EXE 7 IoCs
pid Process 2092 qr5i4eI0.exe 2816 touvea.exe 3016 2eet.exe 1500 2eet.exe 2332 2eet.exe 2896 2eet.exe 2052 2eet.exe -
Loads dropped DLL 6 IoCs
pid Process 2724 53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe 2724 53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe 2092 qr5i4eI0.exe 2092 qr5i4eI0.exe 2724 53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe 2724 53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /z" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /M" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /y" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /m" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /U" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /t" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /q" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /p" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /d" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /o" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /g" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /D" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /I" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /n" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /f" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /c" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /l" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /F" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /Y" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /s" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /O" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /B" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /L" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /G" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /A" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /X" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /J" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /h" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /Q" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /W" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /k" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /b" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /R" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /P" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /i" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /C" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /E" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /w" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /e" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /a" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /Z" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /H" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /j" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /S" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /r" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /V" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /T" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /J" qr5i4eI0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /v" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /K" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /u" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /x" touvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\touvea = "C:\\Users\\Admin\\touvea.exe /N" touvea.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2eet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2eet.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 324 tasklist.exe 2752 tasklist.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3016 set thread context of 1500 3016 2eet.exe 37 PID 3016 set thread context of 2332 3016 2eet.exe 38 PID 3016 set thread context of 2052 3016 2eet.exe 39 PID 3016 set thread context of 2896 3016 2eet.exe 40 -
resource yara_rule behavioral1/memory/1500-49-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1500-48-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1500-46-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1500-43-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1500-41-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2332-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2332-58-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2332-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2896-79-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2896-76-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2896-74-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2332-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2332-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2052-66-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2052-64-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2896-91-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2332-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2052-86-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2896-85-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2896-84-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2052-83-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2052-82-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1500-94-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2332-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2052-98-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1500-102-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qr5i4eI0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language touvea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2092 qr5i4eI0.exe 2092 qr5i4eI0.exe 2332 2eet.exe 2816 touvea.exe 2332 2eet.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe 2816 touvea.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 324 tasklist.exe Token: SeDebugPrivilege 2752 tasklist.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2724 53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe 2092 qr5i4eI0.exe 2816 touvea.exe 3016 2eet.exe 1500 2eet.exe 2896 2eet.exe 2052 2eet.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2724 wrote to memory of 2092 2724 53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe 30 PID 2724 wrote to memory of 2092 2724 53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe 30 PID 2724 wrote to memory of 2092 2724 53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe 30 PID 2724 wrote to memory of 2092 2724 53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe 30 PID 2092 wrote to memory of 2816 2092 qr5i4eI0.exe 31 PID 2092 wrote to memory of 2816 2092 qr5i4eI0.exe 31 PID 2092 wrote to memory of 2816 2092 qr5i4eI0.exe 31 PID 2092 wrote to memory of 2816 2092 qr5i4eI0.exe 31 PID 2092 wrote to memory of 2604 2092 qr5i4eI0.exe 32 PID 2092 wrote to memory of 2604 2092 qr5i4eI0.exe 32 PID 2092 wrote to memory of 2604 2092 qr5i4eI0.exe 32 PID 2092 wrote to memory of 2604 2092 qr5i4eI0.exe 32 PID 2604 wrote to memory of 324 2604 cmd.exe 34 PID 2604 wrote to memory of 324 2604 cmd.exe 34 PID 2604 wrote to memory of 324 2604 cmd.exe 34 PID 2604 wrote to memory of 324 2604 cmd.exe 34 PID 2724 wrote to memory of 3016 2724 53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe 35 PID 2724 wrote to memory of 3016 2724 53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe 35 PID 2724 wrote to memory of 3016 2724 53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe 35 PID 2724 wrote to memory of 3016 2724 53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe 35 PID 3016 wrote to memory of 1500 3016 2eet.exe 37 PID 3016 wrote to memory of 1500 3016 2eet.exe 37 PID 3016 wrote to memory of 1500 3016 2eet.exe 37 PID 3016 wrote to memory of 1500 3016 2eet.exe 37 PID 3016 wrote to memory of 1500 3016 2eet.exe 37 PID 3016 wrote to memory of 1500 3016 2eet.exe 37 PID 3016 wrote to memory of 1500 3016 2eet.exe 37 PID 3016 wrote to memory of 1500 3016 2eet.exe 37 PID 3016 wrote to memory of 2332 3016 2eet.exe 38 PID 3016 wrote to memory of 2332 3016 2eet.exe 38 PID 3016 wrote to memory of 2332 3016 2eet.exe 38 PID 3016 wrote to memory of 2332 3016 2eet.exe 38 PID 3016 wrote to memory of 2332 3016 2eet.exe 38 PID 3016 wrote to memory of 2332 3016 2eet.exe 38 PID 3016 wrote to memory of 2332 3016 2eet.exe 38 PID 3016 wrote to memory of 2332 3016 2eet.exe 38 PID 3016 wrote to memory of 2052 3016 2eet.exe 39 PID 3016 wrote to memory of 2052 3016 2eet.exe 39 PID 3016 wrote to memory of 2052 3016 2eet.exe 39 PID 3016 wrote to memory of 2052 3016 2eet.exe 39 PID 3016 wrote to memory of 2052 3016 2eet.exe 39 PID 3016 wrote to memory of 2052 3016 2eet.exe 39 PID 3016 wrote to memory of 2052 3016 2eet.exe 39 PID 3016 wrote to memory of 2052 3016 2eet.exe 39 PID 3016 wrote to memory of 2896 3016 2eet.exe 40 PID 3016 wrote to memory of 2896 3016 2eet.exe 40 PID 3016 wrote to memory of 2896 3016 2eet.exe 40 PID 3016 wrote to memory of 2896 3016 2eet.exe 40 PID 3016 wrote to memory of 2896 3016 2eet.exe 40 PID 3016 wrote to memory of 2896 3016 2eet.exe 40 PID 3016 wrote to memory of 2896 3016 2eet.exe 40 PID 3016 wrote to memory of 2896 3016 2eet.exe 40 PID 2724 wrote to memory of 2100 2724 53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe 41 PID 2724 wrote to memory of 2100 2724 53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe 41 PID 2724 wrote to memory of 2100 2724 53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe 41 PID 2724 wrote to memory of 2100 2724 53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe 41 PID 2100 wrote to memory of 2752 2100 cmd.exe 43 PID 2100 wrote to memory of 2752 2100 cmd.exe 43 PID 2100 wrote to memory of 2752 2100 cmd.exe 43 PID 2100 wrote to memory of 2752 2100 cmd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\qr5i4eI0.exeC:\Users\Admin\qr5i4eI0.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\touvea.exe"C:\Users\Admin\touvea.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2816
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del qr5i4eI0.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:324
-
-
-
-
C:\Users\Admin\2eet.exeC:\Users\Admin\2eet.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\2eet.exe"C:\Users\Admin\2eet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1500
-
-
C:\Users\Admin\2eet.exe"C:\Users\Admin\2eet.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2332
-
-
C:\Users\Admin\2eet.exe"C:\Users\Admin\2eet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2052
-
-
C:\Users\Admin\2eet.exe"C:\Users\Admin\2eet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2896
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c tasklist&&del 53f22538d90e23e311265cf9f948f772_JaffaCakes118.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD590d23730203c3fa5dbcb8a068fc28f7c
SHA1d24dd53a400d27984aadc060a7a0ef084cb5a005
SHA2563084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8
SHA51213992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726
-
Filesize
328KB
MD5ed270a209f35e4fadd970371a6295c7d
SHA18f2d66fc5b71de4e2374899497274552cd78f31e
SHA256e3595b20420990c88a734542a5cc930c3a7cb7c03989947dada31a92fd25168f
SHA512d37c661b6c52ddccea1f69b322bbd234037284182cf94d63bff537e706e3cecfc006bb9d290a1256d72bf97effc20b82e233a6a1f7c3f23010f7541eadf9bc46
-
Filesize
328KB
MD54a64c5b304fb6f24efda3e4b82f75a13
SHA16be6bb2121c618dd660cf16d2b3c8df0f26e6ae0
SHA2564b8ec9a6c506c8ebd37059781703e95797344c6af447b71aaddb6e353a38213b
SHA5123cee5f7bc91dd062b8af90f17797d155125f463ab58017517810923a80bda33db3e98cac5ac5e1fd6d26b1ece8285a7806594fa2eaafbe9193c3c7929c84ff53