Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
30/10/2024, 14:19
Behavioral task
behavioral1
Sample
7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe
-
Size
404KB
-
MD5
7f85f00af073eeaba1e19077285ae933
-
SHA1
8ab10781d4965f97ba6fba83f651aa63b547168a
-
SHA256
e71216b9f84d5dd86e752c2ff501080f3ac49a76ceba7258635599b690c0c984
-
SHA512
e05ee6247bf1074166cecaa6254e12ecf278dd0156871803982d6541c0f55dfa06479bd2660c7ef7beb4e1a31a0d5612be7fba8c417e9bfc86e2da13460befd6
-
SSDEEP
6144:+tiKbV4FeQ277LUnc2Emm4FSM1A4N87E/hTOZsSNBMlxUAFvnMB8ZN4Gb/Deg7o9:gi86Q/QnFlA+8FExF0B8ZeYeg7QnNxwa
Malware Config
Signatures
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options lsass.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options lsass.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options smss.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000700000001919c-80.dat acprotect behavioral1/memory/2032-86-0x00000000000B0000-0x00000000000BF000-memory.dmp acprotect -
Executes dropped EXE 11 IoCs
pid Process 2852 smss.exe 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 2892 smss.exe 308 lsass.exe 2040 lsass.exe 836 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe 2352 smss.exe 2720 smss.exe 2508 smss.exe 2696 smss.exe 2552 smss.exe -
Loads dropped DLL 25 IoCs
pid Process 2704 cmd.exe 2704 cmd.exe 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 2268 cmd.exe 2268 cmd.exe 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 308 lsass.exe 2032 cmd.exe 2032 cmd.exe 2288 regsvr32.exe 2712 cmd.exe 2712 cmd.exe 2216 cmd.exe 2216 cmd.exe 308 lsass.exe 308 lsass.exe 2696 smss.exe 2636 cmd.exe 2636 cmd.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe -
Checks for any installed AV software in registry 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService lsass.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe File opened (read-only) \??\E: 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\E: lsass.exe -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options lsass.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options lsass.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options smss.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops autorun.inf file 1 TTPs 13 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification D:\AUTORUN.INF 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log File opened for modification \??\E:\AUTORUN.INF lsass.exe File opened for modification C:\AUTORUN.INF lsass.exe File opened for modification D:\AUTORUN.INF lsass.exe File opened for modification D:\AUTORUN.INF 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe File opened for modification \??\E:\AUTORUN.INF 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log File opened for modification D:\AUTORUN.INF lsass.exe File opened for modification \??\E:\AUTORUN.INF lsass.exe File created C:\AUTORUN.INF lsass.exe File opened for modification C:\AUTORUN.INF 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe File opened for modification \??\E:\AUTORUN.INF 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log File opened for modification C:\AUTORUN.INF lsass.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\00302.log 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log File opened for modification C:\Windows\SysWOW64\com\lsass.exe 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log File created C:\Windows\SysWOW64\00302.log lsass.exe File opened for modification C:\Windows\SysWOW64\com\smss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\com\smss.exe 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\com\smss.exe 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log File opened for modification C:\Windows\SysWOW64\com\smss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\com\netcfg.000 lsass.exe File created C:\Windows\SysWOW64\00302.log 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe File created C:\Windows\SysWOW64\com\smss.exe 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe File created C:\Windows\SysWOW64\com\lsass.exe 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log File created C:\Windows\SysWOW64\com\smss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\com\netcfg.dll lsass.exe File created C:\Windows\SysWOW64\com\netcfg.000 lsass.exe File opened for modification C:\Windows\SysWOW64\dnsq.dll lsass.exe File created C:\Windows\SysWOW64\dnsq.dll lsass.exe File opened for modification C:\Windows\SysWOW64\com\bak lsass.exe File created C:\Windows\SysWOW64\com\smss.exe 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log File created C:\Windows\SysWOW64\00302.log lsass.exe File opened for modification C:\Windows\SysWOW64\com\lsass.exe lsass.exe File created C:\Windows\SysWOW64\com\netcfg.dll lsass.exe File opened for modification \??\c:\windows\SysWOW64\com\lsass.exe lsass.exe -
resource yara_rule behavioral1/memory/1780-0-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/files/0x000c00000001225f-7.dat upx behavioral1/memory/2852-12-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2852-15-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1780-23-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2908-22-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/files/0x0009000000018634-19.dat upx behavioral1/memory/2892-35-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/files/0x0008000000018741-36.dat upx behavioral1/memory/308-45-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2040-55-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2908-57-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2040-69-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/files/0x000700000001919c-80.dat upx behavioral1/memory/308-82-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral1/memory/2032-86-0x00000000000B0000-0x00000000000BF000-memory.dmp upx behavioral1/memory/2352-92-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/308-99-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2720-101-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/308-103-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral1/memory/2508-109-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2696-116-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral1/memory/308-117-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2552-124-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2696-125-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2696-126-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral1/memory/308-129-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/308-133-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/308-137-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/308-141-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/308-145-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/308-149-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/308-153-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/308-157-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/308-161-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/308-165-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/308-169-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/308-177-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/308-181-0x0000000000400000-0x0000000000430000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 43 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3064 ping.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main lsass.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page" regsvr32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3064 ping.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 308 lsass.exe 2040 lsass.exe -
Suspicious behavior: LoadsDriver 4 IoCs
pid Process 476 Process not Found 476 Process not Found 476 Process not Found 476 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe Token: SeDebugPrivilege 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log Token: SeDebugPrivilege 308 lsass.exe Token: SeDebugPrivilege 2040 lsass.exe Token: 33 2540 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2540 AUDIODG.EXE Token: 33 2540 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2540 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 308 lsass.exe 308 lsass.exe 308 lsass.exe 308 lsass.exe 2040 lsass.exe 2040 lsass.exe 2040 lsass.exe 2040 lsass.exe 308 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1780 wrote to memory of 2216 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 31 PID 1780 wrote to memory of 2216 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 31 PID 1780 wrote to memory of 2216 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 31 PID 1780 wrote to memory of 2216 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 31 PID 1780 wrote to memory of 884 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 32 PID 1780 wrote to memory of 884 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 32 PID 1780 wrote to memory of 884 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 32 PID 1780 wrote to memory of 884 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 32 PID 1780 wrote to memory of 2804 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 35 PID 1780 wrote to memory of 2804 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 35 PID 1780 wrote to memory of 2804 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 35 PID 1780 wrote to memory of 2804 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 35 PID 1780 wrote to memory of 2704 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 37 PID 1780 wrote to memory of 2704 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 37 PID 1780 wrote to memory of 2704 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 37 PID 1780 wrote to memory of 2704 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 37 PID 2704 wrote to memory of 2852 2704 cmd.exe 39 PID 2704 wrote to memory of 2852 2704 cmd.exe 39 PID 2704 wrote to memory of 2852 2704 cmd.exe 39 PID 2704 wrote to memory of 2852 2704 cmd.exe 39 PID 1780 wrote to memory of 2908 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 40 PID 1780 wrote to memory of 2908 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 40 PID 1780 wrote to memory of 2908 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 40 PID 1780 wrote to memory of 2908 1780 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 40 PID 2908 wrote to memory of 2564 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 41 PID 2908 wrote to memory of 2564 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 41 PID 2908 wrote to memory of 2564 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 41 PID 2908 wrote to memory of 2564 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 41 PID 2908 wrote to memory of 2560 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 42 PID 2908 wrote to memory of 2560 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 42 PID 2908 wrote to memory of 2560 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 42 PID 2908 wrote to memory of 2560 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 42 PID 2908 wrote to memory of 2600 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 44 PID 2908 wrote to memory of 2600 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 44 PID 2908 wrote to memory of 2600 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 44 PID 2908 wrote to memory of 2600 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 44 PID 2908 wrote to memory of 2648 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 45 PID 2908 wrote to memory of 2648 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 45 PID 2908 wrote to memory of 2648 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 45 PID 2908 wrote to memory of 2648 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 45 PID 2908 wrote to memory of 2104 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 48 PID 2908 wrote to memory of 2104 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 48 PID 2908 wrote to memory of 2104 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 48 PID 2908 wrote to memory of 2104 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 48 PID 2908 wrote to memory of 2260 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 51 PID 2908 wrote to memory of 2260 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 51 PID 2908 wrote to memory of 2260 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 51 PID 2908 wrote to memory of 2260 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 51 PID 2908 wrote to memory of 2264 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 53 PID 2908 wrote to memory of 2264 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 53 PID 2908 wrote to memory of 2264 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 53 PID 2908 wrote to memory of 2264 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 53 PID 2908 wrote to memory of 2268 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 55 PID 2908 wrote to memory of 2268 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 55 PID 2908 wrote to memory of 2268 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 55 PID 2908 wrote to memory of 2268 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 55 PID 2268 wrote to memory of 2892 2268 cmd.exe 57 PID 2268 wrote to memory of 2892 2268 cmd.exe 57 PID 2268 wrote to memory of 2892 2268 cmd.exe 57 PID 2268 wrote to memory of 2892 2268 cmd.exe 57 PID 2908 wrote to memory of 308 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 58 PID 2908 wrote to memory of 308 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 58 PID 2908 wrote to memory of 308 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 58 PID 2908 wrote to memory of 308 2908 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 58
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe"1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Indicator Removal: Clear Persistence
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F2⤵
- System Location Discovery: System Language Discovery
PID:2216
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F2⤵
- System Location Discovery: System Language Discovery
PID:884
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok2⤵
- System Location Discovery: System Language Discovery
PID:2804
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe^|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\com\smss.exeC:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log3⤵
- Executes dropped EXE
PID:2852
-
-
-
\??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log"c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log"2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Indicator Removal: Clear Persistence
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F3⤵
- System Location Discovery: System Language Discovery
PID:2564
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F3⤵
- System Location Discovery: System Language Discovery
PID:2560
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F3⤵
- System Location Discovery: System Language Discovery
PID:2600
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F3⤵
- System Location Discovery: System Language Discovery
PID:2648
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok3⤵
- System Location Discovery: System Language Discovery
PID:2104
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2260
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2264
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~^|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\com\smss.exeC:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe4⤵
- Executes dropped EXE
PID:2892
-
-
-
C:\Windows\SysWOW64\com\lsass.exe"C:\Windows\system32\com\lsass.exe"3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Indicator Removal: Clear Persistence
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:308 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F4⤵
- System Location Discovery: System Language Discovery
PID:2884
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F4⤵
- System Location Discovery: System Language Discovery
PID:2748
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F4⤵
- System Location Discovery: System Language Discovery
PID:2936
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F4⤵
- System Location Discovery: System Language Discovery
PID:2392
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F4⤵
- System Location Discovery: System Language Discovery
PID:1944
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F4⤵
- System Location Discovery: System Language Discovery
PID:1556
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok4⤵
- System Location Discovery: System Language Discovery
PID:1260
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1204
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2248
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2288
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|C:\pagefile.pif"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\com\smss.exeC:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|C:\pagefile.pif5⤵
- Executes dropped EXE
PID:2352
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|D:\pagefile.pif"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\com\smss.exeC:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|D:\pagefile.pif5⤵
- Executes dropped EXE
PID:2720
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|E:\pagefile.pif"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\com\smss.exeC:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|E:\pagefile.pif5⤵
- Executes dropped EXE
PID:2508
-
-
-
C:\Windows\SysWOW64\com\smss.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe4⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:2696
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"4⤵
- System Location Discovery: System Language Discovery
PID:2772
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\bak"4⤵
- System Location Discovery: System Language Discovery
PID:1780
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|D:\pagefile.pif"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\com\smss.exeC:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|D:\pagefile.pif5⤵
- Executes dropped EXE
PID:2552
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\bak"4⤵
- System Location Discovery: System Language Discovery
PID:2132
-
-
C:\Windows\SysWOW64\ping.exeping.exe -f -n 1 www.baidu.com4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3064
-
-
-
C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe"C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe"3⤵
- Executes dropped EXE
PID:836
-
-
C:\Windows\SysWOW64\com\lsass.exe^c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Indicator Removal: Clear Persistence
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2040 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F4⤵
- System Location Discovery: System Language Discovery
PID:3028
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F4⤵
- System Location Discovery: System Language Discovery
PID:2232
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F4⤵
- System Location Discovery: System Language Discovery
PID:940
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F4⤵
- System Location Discovery: System Language Discovery
PID:956
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F4⤵
- System Location Discovery: System Language Discovery
PID:1288
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F4⤵
- System Location Discovery: System Language Discovery
PID:2568
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok4⤵
- System Location Discovery: System Language Discovery
PID:1236
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1884
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f81⤵
- Suspicious use of AdjustPrivilegeToken
PID:2540
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Indicator Removal
2Clear Persistence
1File Deletion
1Modify Registry
2Discovery
Peripheral Device Discovery
1Query Registry
1Remote System Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD58e336906e90cb3558fb9704d0921e27a
SHA159ad8af4982e287954ecf0afaa2f28bc1ba578bc
SHA2567c9b6f4a222d9b110ff7abecd2cd9ae7d4a7c8229e5c8b5a39da007127735897
SHA5120a6a13daccd9f149ef5417d87ff0d9dee0564fe42dcb2cd61782dc5af744e218f68c04ed2705eba8ab3c2867af81ad487f58efe3d620cd30c433e0d382efed24
-
Filesize
404KB
MD57f85f00af073eeaba1e19077285ae933
SHA18ab10781d4965f97ba6fba83f651aa63b547168a
SHA256e71216b9f84d5dd86e752c2ff501080f3ac49a76ceba7258635599b690c0c984
SHA512e05ee6247bf1074166cecaa6254e12ecf278dd0156871803982d6541c0f55dfa06479bd2660c7ef7beb4e1a31a0d5612be7fba8c417e9bfc86e2da13460befd6
-
Filesize
44KB
MD5d3777f588e34bbc50a1c08d472b94a83
SHA1abcbccde250c3a142347efc32c5a89869ead61f4
SHA2560b10b6bdf21f31107be9140d4e8c1120c60e057421aee2a17b4b674f2b7d2b0b
SHA5128701d268b2ea969bf4a21a13f6898d6ff21752f51bb1cbe24017422f5835a4ec5423c398f0593226affa3a2e353ff2fc30c6ec239bcc4bc3e7b09dd3f42b67cc
-
Filesize
21KB
MD5ecc52a71f452d05a30b9b521d8ed9025
SHA1fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e
SHA256f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0
SHA512d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f
-
Filesize
243KB
MD51cf46cbf40ec16bef528ebc2fd7f03dc
SHA154069df6e6d11b93dca22d8461b9588302f912c6
SHA256d2694a4d43613b3f304a23502249e29cb6746cddae79b5a667b5b319c1ae5dbf
SHA512fecce695232c69ff961239f42c9637d2990ba3bbd5fc9d5709eed153e33a66d2caff05f782d5d9afd84957bb1828ea53e683e78ef4c99b382ea335d15eec2dea
-
Filesize
80KB
MD54c17312e44a4000a782a5c71b04b5faa
SHA147c4c0f3b80f809957ddff48b28211d992f3e9f5
SHA256a059aa3b5462a3d602fe29590dd8ca78fbb9e90f3402a3e41e2688d08d552341
SHA5128ea955e5cdb2ba2cac15018a82b270f3eabce3d311123fc5e39c7b5f3606782a56811086ca4bb10196e9664df88c8d1609fa3bc259cf7dee0fb1ce70cc5a0c14
-
Filesize
23KB
MD5c08ba4c0a84a6d5dbd2f8c99ecfe7116
SHA1a031a2147851c856eff0161a266e33410aa94604
SHA2567ee24ac81046fc2e214423d816b9f805992a4aa2d9a3f9567699142e69bc863f
SHA512ddd4da03ef846c8addd3e7168c08c3ce8d354c5d82e4dd94903e918338745f5f8ec47cb6688df482e0afd68f28c4fbd2e48a3d2cae52f145cc451a77532d7f01