8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2024 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe
Size

714KB
MD5

6d83d702fad47bf24a04c4b3e2c9d930
SHA1

e706a46e3bbb821e8f4aec1f3e488be1504b855b
SHA256

8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07
SHA512

62cda9516333dfe92d4099f2cc25d8e434ac23abc28dbd522695b200a4a1545473a6a419bd9ac8fadb54283980a82f37d1faa2ab32df92a9d10e74750c58499d
SSDEEP

12288:mSuYrHkpL3KyptgMzPez1OkvHj3CfL0PzGJRZLB3LE:X1kpL3KyAWPez1fD3mLIzGvZt3LE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5000	pqnvkxl.exe
4324	pqnvkxl.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4708 set thread context of 1624	4708	6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe	84
PID 5000 set thread context of 4324	5000	pqnvkxl.exe	87

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3172	4324	WerFault.exe	87
4708	4324	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pqnvkxl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pqnvkxl.exe

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{0576a638-0000-0000-0000-d01200000000}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{0576a638-0000-0000-0000-f0ff3a000000}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{0576a638-0000-0000-0000-d01200000000}\MaxCapacity = "14116"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00300035003700360061003600330038002d0030003000300030002d0030003000300030002d0030003000300030002d006400300031003200300030003000300030003000300030007d00000030002c007b00300035003700360061003600330038002d0030003000300030002d0030003000300030002d0030003000300030002d006600300066006600330061003000300030003000300030007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{0576a638-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{0576a638-0000-0000-0000-f0ff3a000000}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{0576a638-0000-0000-0000-f0ff3a000000}\MaxCapacity = "2047"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe

Modifies registry class 32 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133741388093220517"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133741388332439755"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133727709535635295"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133741388013012695"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133741389012751836"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133741388321033037"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133741389025564299"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133741389046033155"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133741389367439143"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133741389369314190"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133741389374314377"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133741388691502360"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133741389038845467"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133727709533916626"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133741388649314205"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133741389370720532"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133741388326814334"	svchost.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4708	6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe
4708	6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe
1624	6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe
1624	6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe
5000	pqnvkxl.exe
5000	pqnvkxl.exe
4324	pqnvkxl.exe
4324	pqnvkxl.exe
4324	pqnvkxl.exe
4324	pqnvkxl.exe
4324	pqnvkxl.exe
4324	pqnvkxl.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4324	pqnvkxl.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe
Token: SeTcbPrivilege	784	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4708	6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe
4708	6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe
5000	pqnvkxl.exe
5000	pqnvkxl.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 1624	4708	6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe	84
PID 4708 wrote to memory of 1624	4708	6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe	84
PID 4708 wrote to memory of 1624	4708	6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe	84
PID 4708 wrote to memory of 1624	4708	6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe	84
PID 4708 wrote to memory of 1624	4708	6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe	84
PID 4708 wrote to memory of 1624	4708	6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe	84
PID 4708 wrote to memory of 1624	4708	6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe	84
PID 5000 wrote to memory of 4324	5000	pqnvkxl.exe	87
PID 5000 wrote to memory of 4324	5000	pqnvkxl.exe	87
PID 5000 wrote to memory of 4324	5000	pqnvkxl.exe	87
PID 5000 wrote to memory of 4324	5000	pqnvkxl.exe	87
PID 5000 wrote to memory of 4324	5000	pqnvkxl.exe	87
PID 5000 wrote to memory of 4324	5000	pqnvkxl.exe	87
PID 5000 wrote to memory of 4324	5000	pqnvkxl.exe	87
PID 4324 wrote to memory of 784	4324	pqnvkxl.exe	8
PID 784 wrote to memory of 4704	784	svchost.exe	95
PID 784 wrote to memory of 4704	784	svchost.exe	95
PID 784 wrote to memory of 2612	784	svchost.exe	101
PID 784 wrote to memory of 2612	784	svchost.exe	101
PID 784 wrote to memory of 1324	784	svchost.exe	102
PID 784 wrote to memory of 1324	784	svchost.exe	102
PID 784 wrote to memory of 2828	784	svchost.exe	104
PID 784 wrote to memory of 2828	784	svchost.exe	104
PID 784 wrote to memory of 2828	784	svchost.exe	104
PID 784 wrote to memory of 3444	784	svchost.exe	105
PID 784 wrote to memory of 3444	784	svchost.exe	105
PID 784 wrote to memory of 3444	784	svchost.exe	105
PID 784 wrote to memory of 4920	784	svchost.exe	106
PID 784 wrote to memory of 4920	784	svchost.exe	106
PID 784 wrote to memory of 3428	784	svchost.exe	107
PID 784 wrote to memory of 3428	784	svchost.exe	107
PID 784 wrote to memory of 3428	784	svchost.exe	107
PID 784 wrote to memory of 2592	784	svchost.exe	108
PID 784 wrote to memory of 2592	784	svchost.exe	108
PID 784 wrote to memory of 2592	784	svchost.exe	108
PID 784 wrote to memory of 3744	784	svchost.exe	110
PID 784 wrote to memory of 3744	784	svchost.exe	110
PID 784 wrote to memory of 3744	784	svchost.exe	110
PID 784 wrote to memory of 740	784	svchost.exe	111
PID 784 wrote to memory of 740	784	svchost.exe	111
PID 784 wrote to memory of 740	784	svchost.exe	111
PID 784 wrote to memory of 4720	784	svchost.exe	112
PID 784 wrote to memory of 4720	784	svchost.exe	112
PID 784 wrote to memory of 4720	784	svchost.exe	112
PID 784 wrote to memory of 796	784	svchost.exe	113
PID 784 wrote to memory of 796	784	svchost.exe	113
PID 784 wrote to memory of 796	784	svchost.exe	113
PID 784 wrote to memory of 3848	784	svchost.exe	114
PID 784 wrote to memory of 3848	784	svchost.exe	114
PID 784 wrote to memory of 3848	784	svchost.exe	114
PID 784 wrote to memory of 4548	784	svchost.exe	115
PID 784 wrote to memory of 4548	784	svchost.exe	115
PID 784 wrote to memory of 4548	784	svchost.exe	115
PID 784 wrote to memory of 3416	784	svchost.exe	116
PID 784 wrote to memory of 3416	784	svchost.exe	116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:4704
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:2612
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:1324
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2828
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:3444
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:4920
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3428
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2592
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:3744
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:740
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:4720
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:796
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3848
- C:\Windows\system32\BackgroundTaskHost.exe
  "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
  2⤵
  PID:4548
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3416

C:\Users\Admin\AppData\Local\Temp\6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Users\Admin\AppData\Local\Temp\6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1624

C:\Users\Admin\AppData\Local\Temp\pqnvkxl.exe
C:\Users\Admin\AppData\Local\Temp\pqnvkxl.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Local\Temp\pqnvkxl.exe
  C:\Users\Admin\AppData\Local\Temp\pqnvkxl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 656
    3⤵
    - Program crash
    PID:3172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 700
    3⤵
    - Program crash
    PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4324 -ip 4324
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4324 -ip 4324
1⤵
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\USOShared\oljsaze

Filesize
654B

MD5
acc34df71902915b74cbc0c4dc3c7f0b

SHA1
4cdf44c274a95faeb0751c25e5bda749c754ca55

SHA256
c0b39c94fc5195714e82852a9a3709e6193d032a7aa5a7b7e14316a004f801d8

SHA512
1324f73b2967ce468dd0ed79025d46f51322f70079097a21cfb184743e01bc7beb4d8829af71a710e0fc5d0d261e0c78915012185a7aed50cfb1f5767db7c04d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqnvkxl.exe

Filesize
714KB

MD5
6d83d702fad47bf24a04c4b3e2c9d930

SHA1
e706a46e3bbb821e8f4aec1f3e488be1504b855b

SHA256
8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07

SHA512
62cda9516333dfe92d4099f2cc25d8e434ac23abc28dbd522695b200a4a1545473a6a419bd9ac8fadb54283980a82f37d1faa2ab32df92a9d10e74750c58499d

Download Submit
memory/784-18-0x000000003AFA0000-0x000000003B017000-memory.dmp

Filesize
476KB

Download
memory/784-20-0x000000003AFA0000-0x000000003B017000-memory.dmp

Filesize
476KB

Download
memory/784-3401-0x000000003AFA0000-0x000000003B017000-memory.dmp

Filesize
476KB

Download
memory/784-226-0x000000003AFA0000-0x000000003B017000-memory.dmp

Filesize
476KB

Download
memory/784-45-0x000000003AFA0000-0x000000003B017000-memory.dmp

Filesize
476KB

Download
memory/784-21-0x000000003AFA0000-0x000000003B017000-memory.dmp

Filesize
476KB

Download
memory/784-28-0x000000003AFA0000-0x000000003B017000-memory.dmp

Filesize
476KB

Download
memory/784-24-0x000000003AFA0000-0x000000003B017000-memory.dmp

Filesize
476KB

Download
memory/784-26-0x000000003AFA0000-0x000000003B017000-memory.dmp

Filesize
476KB

Download
memory/1624-3-0x0000000028990000-0x0000000028BAA000-memory.dmp

Filesize
2.1MB

Download
memory/1624-4-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1624-1-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1624-5-0x0000000028BB0000-0x0000000028DFB000-memory.dmp

Filesize
2.3MB

Download
memory/1624-2-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4324-15-0x0000000028B80000-0x0000000028DCB000-memory.dmp

Filesize
2.3MB

Download
memory/4324-13-0x0000000000400000-0x00000000004A4600-memory.dmp

Filesize
657KB

Download
memory/4708-0-0x0000000000AC0000-0x0000000000AC4000-memory.dmp

Filesize
16KB

Download
memory/5000-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download