Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 22:37
Static task
static1
Behavioral task
behavioral1
Sample
764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
-
Size
264KB
-
MD5
764bd0f47d395a4a3e4abdf501d48402
-
SHA1
ee6e39714fc6df19d0acf9a1a33494c82080580c
-
SHA256
f6df2a467533efa9839443780f837572e796f599c8c1549cd8241cacbd531705
-
SHA512
1edcdc167ca6d35fdfd4a32ad1535649dd49a0389461c498bffed11dfc43ab33d7c3c20dc85759cc87c594c228725f36c578d4e8b37cc11e1c20afcfb35f9969
-
SSDEEP
6144:PIFqVA0HHhehYho+7VjNuBMNm2vOhxXbn4:k8DuBAOhRn4
Malware Config
Extracted
latentbot
rsbotsoultions.zapto.org
1rsbotsoultions.zapto.org
2rsbotsoultions.zapto.org
3rsbotsoultions.zapto.org
4rsbotsoultions.zapto.org
5rsbotsoultions.zapto.org
6rsbotsoultions.zapto.org
7rsbotsoultions.zapto.org
Signatures
-
Latentbot family
-
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\local.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\local.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation winhv.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation HdAudio.exe -
Executes dropped EXE 3 IoCs
pid Process 4292 HdAudio.exe 456 winhv.exe 3568 HdAudio.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\High Definition Audio Function Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\HdAudio.exe" HdAudio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\High Definition Audio Function Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\HdAudio.exe" HdAudio.exe -
Suspicious use of SetThreadContext 22 IoCs
description pid Process procid_target PID 2304 set thread context of 1772 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 97 PID 456 set thread context of 1000 456 winhv.exe 117 PID 456 set thread context of 1040 456 winhv.exe 119 PID 456 set thread context of 2784 456 winhv.exe 120 PID 456 set thread context of 3108 456 winhv.exe 121 PID 456 set thread context of 1724 456 winhv.exe 122 PID 456 set thread context of 2904 456 winhv.exe 124 PID 456 set thread context of 1984 456 winhv.exe 125 PID 456 set thread context of 2864 456 winhv.exe 126 PID 456 set thread context of 3612 456 winhv.exe 127 PID 456 set thread context of 4832 456 winhv.exe 128 PID 456 set thread context of 1372 456 winhv.exe 129 PID 456 set thread context of 436 456 winhv.exe 134 PID 456 set thread context of 5028 456 winhv.exe 139 PID 456 set thread context of 2332 456 winhv.exe 140 PID 456 set thread context of 1080 456 winhv.exe 141 PID 456 set thread context of 3408 456 winhv.exe 142 PID 456 set thread context of 228 456 winhv.exe 143 PID 456 set thread context of 768 456 winhv.exe 144 PID 456 set thread context of 1220 456 winhv.exe 148 PID 456 set thread context of 4064 456 winhv.exe 149 PID 456 set thread context of 1096 456 winhv.exe 150 -
resource yara_rule behavioral2/memory/1772-8-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/1772-10-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/1772-12-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/1772-31-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/1772-32-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/1772-38-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/1000-61-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/1772-64-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/1040-71-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/2784-79-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/1772-81-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/3108-88-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/1724-96-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/1772-98-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/2904-105-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/1984-113-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/1772-116-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/2864-123-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/3612-131-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/1772-133-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/4832-140-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/1372-150-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/436-160-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/5028-169-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/2332-180-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/1080-189-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/3408-199-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/228-208-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/768-218-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/1220-227-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/4064-238-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/1096-247-0x0000000000400000-0x000000000047D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HdAudio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winhv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HdAudio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 3656 reg.exe 4852 reg.exe 2524 reg.exe 4036 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeDebugPrivilege 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe Token: 1 1772 vbc.exe Token: SeCreateTokenPrivilege 1772 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1772 vbc.exe Token: SeLockMemoryPrivilege 1772 vbc.exe Token: SeIncreaseQuotaPrivilege 1772 vbc.exe Token: SeMachineAccountPrivilege 1772 vbc.exe Token: SeTcbPrivilege 1772 vbc.exe Token: SeSecurityPrivilege 1772 vbc.exe Token: SeTakeOwnershipPrivilege 1772 vbc.exe Token: SeLoadDriverPrivilege 1772 vbc.exe Token: SeSystemProfilePrivilege 1772 vbc.exe Token: SeSystemtimePrivilege 1772 vbc.exe Token: SeProfSingleProcessPrivilege 1772 vbc.exe Token: SeIncBasePriorityPrivilege 1772 vbc.exe Token: SeCreatePagefilePrivilege 1772 vbc.exe Token: SeCreatePermanentPrivilege 1772 vbc.exe Token: SeBackupPrivilege 1772 vbc.exe Token: SeRestorePrivilege 1772 vbc.exe Token: SeShutdownPrivilege 1772 vbc.exe Token: SeDebugPrivilege 1772 vbc.exe Token: SeAuditPrivilege 1772 vbc.exe Token: SeSystemEnvironmentPrivilege 1772 vbc.exe Token: SeChangeNotifyPrivilege 1772 vbc.exe Token: SeRemoteShutdownPrivilege 1772 vbc.exe Token: SeUndockPrivilege 1772 vbc.exe Token: SeSyncAgentPrivilege 1772 vbc.exe Token: SeEnableDelegationPrivilege 1772 vbc.exe Token: SeManageVolumePrivilege 1772 vbc.exe Token: SeImpersonatePrivilege 1772 vbc.exe Token: SeCreateGlobalPrivilege 1772 vbc.exe Token: 31 1772 vbc.exe Token: 32 1772 vbc.exe Token: 33 1772 vbc.exe Token: 34 1772 vbc.exe Token: 35 1772 vbc.exe Token: SeDebugPrivilege 4292 HdAudio.exe Token: SeDebugPrivilege 456 winhv.exe Token: SeDebugPrivilege 3568 HdAudio.exe -
Suspicious use of SetWindowsHookEx 50 IoCs
pid Process 1772 vbc.exe 1772 vbc.exe 1772 vbc.exe 1772 vbc.exe 1000 vbc.exe 1000 vbc.exe 1772 vbc.exe 1040 vbc.exe 1040 vbc.exe 2784 vbc.exe 2784 vbc.exe 3108 vbc.exe 3108 vbc.exe 1724 vbc.exe 1724 vbc.exe 2904 vbc.exe 2904 vbc.exe 1984 vbc.exe 1984 vbc.exe 1772 vbc.exe 2864 vbc.exe 2864 vbc.exe 3612 vbc.exe 3612 vbc.exe 4832 vbc.exe 4832 vbc.exe 1372 vbc.exe 1372 vbc.exe 436 vbc.exe 436 vbc.exe 5028 vbc.exe 5028 vbc.exe 1772 vbc.exe 2332 vbc.exe 2332 vbc.exe 1080 vbc.exe 1080 vbc.exe 3408 vbc.exe 3408 vbc.exe 228 vbc.exe 228 vbc.exe 768 vbc.exe 768 vbc.exe 1220 vbc.exe 1220 vbc.exe 1772 vbc.exe 4064 vbc.exe 4064 vbc.exe 1096 vbc.exe 1096 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2852 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 95 PID 2304 wrote to memory of 2852 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 95 PID 2304 wrote to memory of 2852 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 95 PID 2304 wrote to memory of 1772 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 97 PID 2304 wrote to memory of 1772 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 97 PID 2304 wrote to memory of 1772 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 97 PID 2304 wrote to memory of 1772 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 97 PID 2304 wrote to memory of 1772 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 97 PID 2304 wrote to memory of 1772 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 97 PID 2304 wrote to memory of 1772 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 97 PID 2304 wrote to memory of 4292 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 98 PID 2304 wrote to memory of 4292 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 98 PID 2304 wrote to memory of 4292 2304 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe 98 PID 1772 wrote to memory of 1272 1772 vbc.exe 99 PID 1772 wrote to memory of 1272 1772 vbc.exe 99 PID 1772 wrote to memory of 1272 1772 vbc.exe 99 PID 1772 wrote to memory of 3528 1772 vbc.exe 100 PID 1772 wrote to memory of 3528 1772 vbc.exe 100 PID 1772 wrote to memory of 3528 1772 vbc.exe 100 PID 1772 wrote to memory of 4976 1772 vbc.exe 101 PID 1772 wrote to memory of 4976 1772 vbc.exe 101 PID 1772 wrote to memory of 4976 1772 vbc.exe 101 PID 1772 wrote to memory of 2272 1772 vbc.exe 102 PID 1772 wrote to memory of 2272 1772 vbc.exe 102 PID 1772 wrote to memory of 2272 1772 vbc.exe 102 PID 2272 wrote to memory of 2524 2272 cmd.exe 109 PID 3528 wrote to memory of 3656 3528 cmd.exe 107 PID 2272 wrote to memory of 2524 2272 cmd.exe 109 PID 2272 wrote to memory of 2524 2272 cmd.exe 109 PID 3528 wrote to memory of 3656 3528 cmd.exe 107 PID 3528 wrote to memory of 3656 3528 cmd.exe 107 PID 1272 wrote to memory of 4852 1272 cmd.exe 108 PID 1272 wrote to memory of 4852 1272 cmd.exe 108 PID 1272 wrote to memory of 4852 1272 cmd.exe 108 PID 4976 wrote to memory of 4036 4976 cmd.exe 110 PID 4976 wrote to memory of 4036 4976 cmd.exe 110 PID 4976 wrote to memory of 4036 4976 cmd.exe 110 PID 4292 wrote to memory of 456 4292 HdAudio.exe 111 PID 4292 wrote to memory of 456 4292 HdAudio.exe 111 PID 4292 wrote to memory of 456 4292 HdAudio.exe 111 PID 456 wrote to memory of 2640 456 winhv.exe 115 PID 456 wrote to memory of 2640 456 winhv.exe 115 PID 456 wrote to memory of 2640 456 winhv.exe 115 PID 456 wrote to memory of 1000 456 winhv.exe 117 PID 456 wrote to memory of 1000 456 winhv.exe 117 PID 456 wrote to memory of 1000 456 winhv.exe 117 PID 456 wrote to memory of 1000 456 winhv.exe 117 PID 456 wrote to memory of 1000 456 winhv.exe 117 PID 456 wrote to memory of 1000 456 winhv.exe 117 PID 456 wrote to memory of 1000 456 winhv.exe 117 PID 456 wrote to memory of 3568 456 winhv.exe 118 PID 456 wrote to memory of 3568 456 winhv.exe 118 PID 456 wrote to memory of 3568 456 winhv.exe 118 PID 456 wrote to memory of 1040 456 winhv.exe 119 PID 456 wrote to memory of 1040 456 winhv.exe 119 PID 456 wrote to memory of 1040 456 winhv.exe 119 PID 456 wrote to memory of 1040 456 winhv.exe 119 PID 456 wrote to memory of 1040 456 winhv.exe 119 PID 456 wrote to memory of 1040 456 winhv.exe 119 PID 456 wrote to memory of 1040 456 winhv.exe 119 PID 456 wrote to memory of 2784 456 winhv.exe 120 PID 456 wrote to memory of 2784 456 winhv.exe 120 PID 456 wrote to memory of 2784 456 winhv.exe 120 PID 456 wrote to memory of 2784 456 winhv.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2852
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4852
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3656
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4036
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\local.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\local.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2524
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2640
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1000
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3568
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1040
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2784
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3108
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1724
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2904
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1984
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3612
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4832
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1372
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:436
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5028
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2332
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1080
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3408
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:228
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:768
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1220
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4064
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1096
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128B
MD5a5dcc7c9c08af7dddd82be5b036a4416
SHA14f998ca1526d199e355ffb435bae111a2779b994
SHA256e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5
SHA51256035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a
-
Filesize
13KB
MD53b7a912b974389998f9963e03fc20c32
SHA1209d5061ac43d8aed3adac94686372f2b9817d28
SHA256e90ae5939f92e8c0df41dc4e6b101912cb947d2d2339f07e8a1fa680feb34d42
SHA512ea5ea60a35571e9a4dd0151af4238df3e6c7996f918cffbfbb1262f90609be36d6ea122123409c7ea3920f4ce9d1f4c17b2b41f3d7503d1fb039009f2d0ec51b
-
Filesize
264KB
MD5764bd0f47d395a4a3e4abdf501d48402
SHA1ee6e39714fc6df19d0acf9a1a33494c82080580c
SHA256f6df2a467533efa9839443780f837572e796f599c8c1549cd8241cacbd531705
SHA5121edcdc167ca6d35fdfd4a32ad1535649dd49a0389461c498bffed11dfc43ab33d7c3c20dc85759cc87c594c228725f36c578d4e8b37cc11e1c20afcfb35f9969