Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27-10-2024 22:37
Static task
static1
Behavioral task
behavioral1
Sample
764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
-
Size
264KB
-
MD5
764bd0f47d395a4a3e4abdf501d48402
-
SHA1
ee6e39714fc6df19d0acf9a1a33494c82080580c
-
SHA256
f6df2a467533efa9839443780f837572e796f599c8c1549cd8241cacbd531705
-
SHA512
1edcdc167ca6d35fdfd4a32ad1535649dd49a0389461c498bffed11dfc43ab33d7c3c20dc85759cc87c594c228725f36c578d4e8b37cc11e1c20afcfb35f9969
-
SSDEEP
6144:PIFqVA0HHhehYho+7VjNuBMNm2vOhxXbn4:k8DuBAOhRn4
Malware Config
Extracted
latentbot
rsbotsoultions.zapto.org
1rsbotsoultions.zapto.org
2rsbotsoultions.zapto.org
3rsbotsoultions.zapto.org
4rsbotsoultions.zapto.org
5rsbotsoultions.zapto.org
6rsbotsoultions.zapto.org
7rsbotsoultions.zapto.org
Signatures
-
Latentbot family
-
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\local.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\local.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Executes dropped EXE 3 IoCs
pid Process 3024 HdAudio.exe 1984 winhv.exe 2364 HdAudio.exe -
Loads dropped DLL 2 IoCs
pid Process 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 3024 HdAudio.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\High Definition Audio Function Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\HdAudio.exe" HdAudio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\High Definition Audio Function Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\HdAudio.exe" HdAudio.exe -
Suspicious use of SetThreadContext 22 IoCs
description pid Process procid_target PID 2280 set thread context of 2752 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 34 PID 1984 set thread context of 840 1984 winhv.exe 52 PID 1984 set thread context of 1180 1984 winhv.exe 53 PID 1984 set thread context of 1800 1984 winhv.exe 54 PID 1984 set thread context of 1716 1984 winhv.exe 55 PID 1984 set thread context of 1488 1984 winhv.exe 56 PID 1984 set thread context of 2356 1984 winhv.exe 57 PID 1984 set thread context of 1340 1984 winhv.exe 58 PID 1984 set thread context of 1564 1984 winhv.exe 59 PID 1984 set thread context of 2964 1984 winhv.exe 60 PID 1984 set thread context of 1192 1984 winhv.exe 61 PID 1984 set thread context of 2832 1984 winhv.exe 62 PID 1984 set thread context of 2740 1984 winhv.exe 63 PID 1984 set thread context of 384 1984 winhv.exe 65 PID 1984 set thread context of 1728 1984 winhv.exe 66 PID 1984 set thread context of 1520 1984 winhv.exe 67 PID 1984 set thread context of 1016 1984 winhv.exe 68 PID 1984 set thread context of 824 1984 winhv.exe 69 PID 1984 set thread context of 2044 1984 winhv.exe 70 PID 1984 set thread context of 2452 1984 winhv.exe 71 PID 1984 set thread context of 2264 1984 winhv.exe 72 PID 1984 set thread context of 1720 1984 winhv.exe 73 -
resource yara_rule behavioral1/memory/2752-15-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/2752-11-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/2752-9-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/2752-20-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/2752-19-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/2752-18-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/2752-17-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/2752-33-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/3024-38-0x00000000020E0000-0x0000000002120000-memory.dmp upx behavioral1/memory/2752-39-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/840-54-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/2752-56-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/1180-71-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/1800-86-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/2752-88-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/1716-104-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/1488-120-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/2356-137-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/1340-153-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/1564-171-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/2964-187-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/1192-204-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/2832-220-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/2740-237-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/384-253-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/1728-271-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/1520-287-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/1016-304-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/824-321-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/2044-337-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/2452-354-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/2264-371-0x0000000000400000-0x000000000047D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HdAudio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HdAudio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winhv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1872 reg.exe 2844 reg.exe 2832 reg.exe 2952 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeDebugPrivilege 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe Token: 1 2752 vbc.exe Token: SeCreateTokenPrivilege 2752 vbc.exe Token: SeAssignPrimaryTokenPrivilege 2752 vbc.exe Token: SeLockMemoryPrivilege 2752 vbc.exe Token: SeIncreaseQuotaPrivilege 2752 vbc.exe Token: SeMachineAccountPrivilege 2752 vbc.exe Token: SeTcbPrivilege 2752 vbc.exe Token: SeSecurityPrivilege 2752 vbc.exe Token: SeTakeOwnershipPrivilege 2752 vbc.exe Token: SeLoadDriverPrivilege 2752 vbc.exe Token: SeSystemProfilePrivilege 2752 vbc.exe Token: SeSystemtimePrivilege 2752 vbc.exe Token: SeProfSingleProcessPrivilege 2752 vbc.exe Token: SeIncBasePriorityPrivilege 2752 vbc.exe Token: SeCreatePagefilePrivilege 2752 vbc.exe Token: SeCreatePermanentPrivilege 2752 vbc.exe Token: SeBackupPrivilege 2752 vbc.exe Token: SeRestorePrivilege 2752 vbc.exe Token: SeShutdownPrivilege 2752 vbc.exe Token: SeDebugPrivilege 2752 vbc.exe Token: SeAuditPrivilege 2752 vbc.exe Token: SeSystemEnvironmentPrivilege 2752 vbc.exe Token: SeChangeNotifyPrivilege 2752 vbc.exe Token: SeRemoteShutdownPrivilege 2752 vbc.exe Token: SeUndockPrivilege 2752 vbc.exe Token: SeSyncAgentPrivilege 2752 vbc.exe Token: SeEnableDelegationPrivilege 2752 vbc.exe Token: SeManageVolumePrivilege 2752 vbc.exe Token: SeImpersonatePrivilege 2752 vbc.exe Token: SeCreateGlobalPrivilege 2752 vbc.exe Token: 31 2752 vbc.exe Token: 32 2752 vbc.exe Token: 33 2752 vbc.exe Token: 34 2752 vbc.exe Token: 35 2752 vbc.exe Token: SeDebugPrivilege 3024 HdAudio.exe Token: SeDebugPrivilege 1984 winhv.exe Token: SeDebugPrivilege 2364 HdAudio.exe -
Suspicious use of SetWindowsHookEx 50 IoCs
pid Process 2752 vbc.exe 2752 vbc.exe 2752 vbc.exe 2752 vbc.exe 840 vbc.exe 840 vbc.exe 2752 vbc.exe 1180 vbc.exe 1180 vbc.exe 1800 vbc.exe 1800 vbc.exe 1716 vbc.exe 1716 vbc.exe 1488 vbc.exe 1488 vbc.exe 2356 vbc.exe 2356 vbc.exe 1340 vbc.exe 1340 vbc.exe 2752 vbc.exe 1564 vbc.exe 1564 vbc.exe 2964 vbc.exe 2964 vbc.exe 1192 vbc.exe 1192 vbc.exe 2832 vbc.exe 2832 vbc.exe 2740 vbc.exe 2740 vbc.exe 384 vbc.exe 384 vbc.exe 2752 vbc.exe 1728 vbc.exe 1728 vbc.exe 1520 vbc.exe 1520 vbc.exe 1016 vbc.exe 1016 vbc.exe 824 vbc.exe 824 vbc.exe 2044 vbc.exe 2044 vbc.exe 2452 vbc.exe 2452 vbc.exe 2752 vbc.exe 2264 vbc.exe 2264 vbc.exe 1720 vbc.exe 1720 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2940 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 32 PID 2280 wrote to memory of 2940 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 32 PID 2280 wrote to memory of 2940 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 32 PID 2280 wrote to memory of 2940 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 32 PID 2280 wrote to memory of 2752 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 34 PID 2280 wrote to memory of 2752 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 34 PID 2280 wrote to memory of 2752 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 34 PID 2280 wrote to memory of 2752 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 34 PID 2280 wrote to memory of 2752 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 34 PID 2280 wrote to memory of 2752 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 34 PID 2280 wrote to memory of 2752 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 34 PID 2280 wrote to memory of 2752 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 34 PID 2280 wrote to memory of 3024 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 35 PID 2280 wrote to memory of 3024 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 35 PID 2280 wrote to memory of 3024 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 35 PID 2280 wrote to memory of 3024 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 35 PID 2752 wrote to memory of 2692 2752 vbc.exe 36 PID 2752 wrote to memory of 2692 2752 vbc.exe 36 PID 2752 wrote to memory of 2692 2752 vbc.exe 36 PID 2752 wrote to memory of 2692 2752 vbc.exe 36 PID 2752 wrote to memory of 2740 2752 vbc.exe 37 PID 2752 wrote to memory of 2740 2752 vbc.exe 37 PID 2752 wrote to memory of 2740 2752 vbc.exe 37 PID 2752 wrote to memory of 2740 2752 vbc.exe 37 PID 2752 wrote to memory of 772 2752 vbc.exe 38 PID 2752 wrote to memory of 772 2752 vbc.exe 38 PID 2752 wrote to memory of 772 2752 vbc.exe 38 PID 2752 wrote to memory of 772 2752 vbc.exe 38 PID 2752 wrote to memory of 1104 2752 vbc.exe 41 PID 2752 wrote to memory of 1104 2752 vbc.exe 41 PID 2752 wrote to memory of 1104 2752 vbc.exe 41 PID 2752 wrote to memory of 1104 2752 vbc.exe 41 PID 2692 wrote to memory of 2844 2692 cmd.exe 44 PID 2692 wrote to memory of 2844 2692 cmd.exe 44 PID 2692 wrote to memory of 2844 2692 cmd.exe 44 PID 2692 wrote to memory of 2844 2692 cmd.exe 44 PID 1104 wrote to memory of 1872 1104 cmd.exe 45 PID 1104 wrote to memory of 1872 1104 cmd.exe 45 PID 1104 wrote to memory of 1872 1104 cmd.exe 45 PID 1104 wrote to memory of 1872 1104 cmd.exe 45 PID 772 wrote to memory of 2832 772 cmd.exe 46 PID 772 wrote to memory of 2832 772 cmd.exe 46 PID 772 wrote to memory of 2832 772 cmd.exe 46 PID 772 wrote to memory of 2832 772 cmd.exe 46 PID 2740 wrote to memory of 2952 2740 cmd.exe 47 PID 2740 wrote to memory of 2952 2740 cmd.exe 47 PID 2740 wrote to memory of 2952 2740 cmd.exe 47 PID 2740 wrote to memory of 2952 2740 cmd.exe 47 PID 3024 wrote to memory of 1984 3024 HdAudio.exe 48 PID 3024 wrote to memory of 1984 3024 HdAudio.exe 48 PID 3024 wrote to memory of 1984 3024 HdAudio.exe 48 PID 3024 wrote to memory of 1984 3024 HdAudio.exe 48 PID 2280 wrote to memory of 2364 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 49 PID 2280 wrote to memory of 2364 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 49 PID 2280 wrote to memory of 2364 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 49 PID 2280 wrote to memory of 2364 2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 49 PID 1984 wrote to memory of 2404 1984 winhv.exe 50 PID 1984 wrote to memory of 2404 1984 winhv.exe 50 PID 1984 wrote to memory of 2404 1984 winhv.exe 50 PID 1984 wrote to memory of 2404 1984 winhv.exe 50 PID 1984 wrote to memory of 840 1984 winhv.exe 52 PID 1984 wrote to memory of 840 1984 winhv.exe 52 PID 1984 wrote to memory of 840 1984 winhv.exe 52 PID 1984 wrote to memory of 840 1984 winhv.exe 52
Processes
-
C:\Users\Admin\AppData\Local\Temp\764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2940
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2844
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2952
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2832
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\local.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\local.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1872
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2404
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:840
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1180
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1800
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1716
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1488
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2356
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1340
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1564
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2964
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1192
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2832
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2740
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:384
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1728
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1520
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1016
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:824
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2044
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2452
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2264
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1720
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5764bd0f47d395a4a3e4abdf501d48402
SHA1ee6e39714fc6df19d0acf9a1a33494c82080580c
SHA256f6df2a467533efa9839443780f837572e796f599c8c1549cd8241cacbd531705
SHA5121edcdc167ca6d35fdfd4a32ad1535649dd49a0389461c498bffed11dfc43ab33d7c3c20dc85759cc87c594c228725f36c578d4e8b37cc11e1c20afcfb35f9969
-
Filesize
13KB
MD53b7a912b974389998f9963e03fc20c32
SHA1209d5061ac43d8aed3adac94686372f2b9817d28
SHA256e90ae5939f92e8c0df41dc4e6b101912cb947d2d2339f07e8a1fa680feb34d42
SHA512ea5ea60a35571e9a4dd0151af4238df3e6c7996f918cffbfbb1262f90609be36d6ea122123409c7ea3920f4ce9d1f4c17b2b41f3d7503d1fb039009f2d0ec51b