Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2024, 14:19
Behavioral task
behavioral1
Sample
7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe
-
Size
404KB
-
MD5
7f85f00af073eeaba1e19077285ae933
-
SHA1
8ab10781d4965f97ba6fba83f651aa63b547168a
-
SHA256
e71216b9f84d5dd86e752c2ff501080f3ac49a76ceba7258635599b690c0c984
-
SHA512
e05ee6247bf1074166cecaa6254e12ecf278dd0156871803982d6541c0f55dfa06479bd2660c7ef7beb4e1a31a0d5612be7fba8c417e9bfc86e2da13460befd6
-
SSDEEP
6144:+tiKbV4FeQ277LUnc2Emm4FSM1A4N87E/hTOZsSNBMlxUAFvnMB8ZN4Gb/Deg7o9:gi86Q/QnFlA+8FExF0B8ZeYeg7QnNxwa
Malware Config
Signatures
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options lsass.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options lsass.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options smss.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000c000000023b8a-58.dat acprotect -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation lsass.exe -
Executes dropped EXE 10 IoCs
pid Process 2268 smss.exe 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 3984 smss.exe 1716 lsass.exe 4132 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe 1204 lsass.exe 5020 smss.exe 3724 smss.exe 3428 smss.exe 3312 smss.exe -
Loads dropped DLL 3 IoCs
pid Process 1716 lsass.exe 1412 regsvr32.exe 3312 smss.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe -
Checks for any installed AV software in registry 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService lsass.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe -
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe File opened (read-only) \??\E: 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\G: lsass.exe -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options smss.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options lsass.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options lsass.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops autorun.inf file 1 TTPs 13 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\AUTORUN.INF 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log File opened for modification C:\AUTORUN.INF lsass.exe File opened for modification D:\AUTORUN.INF lsass.exe File opened for modification \??\E:\AUTORUN.INF lsass.exe File opened for modification \??\E:\AUTORUN.INF lsass.exe File opened for modification C:\AUTORUN.INF 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe File opened for modification D:\AUTORUN.INF 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe File opened for modification \??\E:\AUTORUN.INF 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe File created C:\AUTORUN.INF lsass.exe File opened for modification D:\AUTORUN.INF lsass.exe File opened for modification D:\AUTORUN.INF 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log File opened for modification \??\E:\AUTORUN.INF 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log File opened for modification C:\AUTORUN.INF lsass.exe -
Drops file in System32 directory 21 IoCs
description ioc Process File created C:\Windows\SysWOW64\com\lsass.exe 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log File created C:\Windows\SysWOW64\com\netcfg.dll lsass.exe File created C:\Windows\SysWOW64\dnsq.dll lsass.exe File created C:\Windows\SysWOW64\com\netcfg.000 lsass.exe File opened for modification C:\Windows\SysWOW64\dnsq.dll lsass.exe File opened for modification C:\Windows\SysWOW64\com\bak lsass.exe File opened for modification C:\Windows\SysWOW64\com\smss.exe 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\com\smss.exe 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log File opened for modification C:\Windows\SysWOW64\com\lsass.exe 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log File opened for modification C:\Windows\SysWOW64\com\lsass.exe lsass.exe File opened for modification C:\Windows\SysWOW64\com\netcfg.dll lsass.exe File opened for modification \??\c:\windows\SysWOW64\com\lsass.exe lsass.exe File created C:\Windows\SysWOW64\00302.log 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log File created C:\Windows\SysWOW64\00302.log lsass.exe File created C:\Windows\SysWOW64\com\smss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\com\netcfg.000 lsass.exe File opened for modification C:\Windows\SysWOW64\com\smss.exe lsass.exe File created C:\Windows\SysWOW64\00302.log 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe File created C:\Windows\SysWOW64\com\smss.exe 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe File created C:\Windows\SysWOW64\00302.log lsass.exe File opened for modification C:\Windows\SysWOW64\com\smss.exe lsass.exe -
resource yara_rule behavioral2/memory/1064-0-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/files/0x000b000000023b87-7.dat upx behavioral2/memory/2268-8-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/2268-11-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/files/0x000b000000023b8a-13.dat upx behavioral2/memory/1064-15-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/3984-27-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/files/0x0002000000022dcd-30.dat upx behavioral2/memory/1716-31-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/2900-35-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/1204-46-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/files/0x000c000000023b8a-58.dat upx behavioral2/memory/1716-59-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral2/memory/5020-68-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/3724-71-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/3428-73-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/1716-74-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/1716-78-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral2/memory/1716-79-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/3312-81-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/3312-83-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral2/memory/1716-84-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/1716-88-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/1716-92-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/1716-96-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/1716-100-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/1716-104-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/1716-108-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/1716-112-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/1716-116-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/1716-120-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/1716-124-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/1716-132-0x0000000000400000-0x0000000000430000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 42 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2448 ping.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1\ = "131473" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2448 ping.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 1716 lsass.exe 1716 lsass.exe 1204 lsass.exe 1204 lsass.exe -
Suspicious behavior: LoadsDriver 4 IoCs
pid Process 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe Token: SeDebugPrivilege 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log Token: SeDebugPrivilege 1716 lsass.exe Token: SeDebugPrivilege 1204 lsass.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 1716 lsass.exe 1716 lsass.exe 1716 lsass.exe 1716 lsass.exe 1204 lsass.exe 1204 lsass.exe 1204 lsass.exe 1204 lsass.exe 1716 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1064 wrote to memory of 3160 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 86 PID 1064 wrote to memory of 3160 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 86 PID 1064 wrote to memory of 3160 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 86 PID 1064 wrote to memory of 1684 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 87 PID 1064 wrote to memory of 1684 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 87 PID 1064 wrote to memory of 1684 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 87 PID 1064 wrote to memory of 5076 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 90 PID 1064 wrote to memory of 5076 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 90 PID 1064 wrote to memory of 5076 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 90 PID 1064 wrote to memory of 1140 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 93 PID 1064 wrote to memory of 1140 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 93 PID 1064 wrote to memory of 1140 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 93 PID 1140 wrote to memory of 2268 1140 cmd.exe 95 PID 1140 wrote to memory of 2268 1140 cmd.exe 95 PID 1140 wrote to memory of 2268 1140 cmd.exe 95 PID 1064 wrote to memory of 2900 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 96 PID 1064 wrote to memory of 2900 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 96 PID 1064 wrote to memory of 2900 1064 7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe 96 PID 2900 wrote to memory of 5048 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 97 PID 2900 wrote to memory of 5048 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 97 PID 2900 wrote to memory of 5048 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 97 PID 2900 wrote to memory of 2796 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 98 PID 2900 wrote to memory of 2796 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 98 PID 2900 wrote to memory of 2796 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 98 PID 2900 wrote to memory of 1196 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 100 PID 2900 wrote to memory of 1196 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 100 PID 2900 wrote to memory of 1196 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 100 PID 2900 wrote to memory of 2720 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 102 PID 2900 wrote to memory of 2720 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 102 PID 2900 wrote to memory of 2720 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 102 PID 2900 wrote to memory of 3220 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 104 PID 2900 wrote to memory of 3220 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 104 PID 2900 wrote to memory of 3220 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 104 PID 2900 wrote to memory of 316 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 107 PID 2900 wrote to memory of 316 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 107 PID 2900 wrote to memory of 316 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 107 PID 2900 wrote to memory of 3472 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 109 PID 2900 wrote to memory of 3472 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 109 PID 2900 wrote to memory of 3472 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 109 PID 2900 wrote to memory of 4636 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 111 PID 2900 wrote to memory of 4636 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 111 PID 2900 wrote to memory of 4636 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 111 PID 4636 wrote to memory of 3984 4636 cmd.exe 113 PID 4636 wrote to memory of 3984 4636 cmd.exe 113 PID 4636 wrote to memory of 3984 4636 cmd.exe 113 PID 2900 wrote to memory of 1716 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 114 PID 2900 wrote to memory of 1716 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 114 PID 2900 wrote to memory of 1716 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 114 PID 2900 wrote to memory of 4132 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 115 PID 2900 wrote to memory of 4132 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 115 PID 2900 wrote to memory of 4132 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 115 PID 2900 wrote to memory of 1204 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 116 PID 2900 wrote to memory of 1204 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 116 PID 2900 wrote to memory of 1204 2900 7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log 116 PID 1716 wrote to memory of 3164 1716 lsass.exe 118 PID 1716 wrote to memory of 3164 1716 lsass.exe 118 PID 1716 wrote to memory of 3164 1716 lsass.exe 118 PID 1716 wrote to memory of 4496 1716 lsass.exe 119 PID 1716 wrote to memory of 4496 1716 lsass.exe 119 PID 1716 wrote to memory of 4496 1716 lsass.exe 119 PID 1716 wrote to memory of 3300 1716 lsass.exe 121 PID 1716 wrote to memory of 3300 1716 lsass.exe 121 PID 1716 wrote to memory of 3300 1716 lsass.exe 121 PID 1716 wrote to memory of 3372 1716 lsass.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe"1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Indicator Removal: Clear Persistence
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F2⤵
- System Location Discovery: System Language Discovery
PID:3160
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F2⤵
- System Location Discovery: System Language Discovery
PID:1684
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok2⤵
- System Location Discovery: System Language Discovery
PID:5076
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe^|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\com\smss.exeC:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2268
-
-
-
\??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log"c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log"2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Indicator Removal: Clear Persistence
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F3⤵
- System Location Discovery: System Language Discovery
PID:5048
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F3⤵
- System Location Discovery: System Language Discovery
PID:2796
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F3⤵
- System Location Discovery: System Language Discovery
PID:1196
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F3⤵
- System Location Discovery: System Language Discovery
PID:2720
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok3⤵
- System Location Discovery: System Language Discovery
PID:3220
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"3⤵
- System Location Discovery: System Language Discovery
PID:316
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3472
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~^|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\com\smss.exeC:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe4⤵
- Executes dropped EXE
PID:3984
-
-
-
C:\Windows\SysWOW64\com\lsass.exe"C:\Windows\system32\com\lsass.exe"3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Indicator Removal: Clear Persistence
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F4⤵
- System Location Discovery: System Language Discovery
PID:3164
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F4⤵
- System Location Discovery: System Language Discovery
PID:4496
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F4⤵
- System Location Discovery: System Language Discovery
PID:3300
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F4⤵
- System Location Discovery: System Language Discovery
PID:3372
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F4⤵
- System Location Discovery: System Language Discovery
PID:3636
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F4⤵
- System Location Discovery: System Language Discovery
PID:4296
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok4⤵
- System Location Discovery: System Language Discovery
PID:2132
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3720
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2096
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1412
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|C:\pagefile.pif"4⤵
- System Location Discovery: System Language Discovery
PID:3620 -
C:\Windows\SysWOW64\com\smss.exeC:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|C:\pagefile.pif5⤵
- Executes dropped EXE
PID:5020
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|D:\pagefile.pif"4⤵
- System Location Discovery: System Language Discovery
PID:3220 -
C:\Windows\SysWOW64\com\smss.exeC:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|D:\pagefile.pif5⤵
- Executes dropped EXE
PID:3724
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|E:\pagefile.pif"4⤵
- System Location Discovery: System Language Discovery
PID:4788 -
C:\Windows\SysWOW64\com\smss.exeC:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|E:\pagefile.pif5⤵
- Executes dropped EXE
PID:3428
-
-
-
C:\Windows\SysWOW64\com\smss.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe4⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:3312
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"4⤵
- System Location Discovery: System Language Discovery
PID:1180
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\bak"4⤵
- System Location Discovery: System Language Discovery
PID:4104
-
-
C:\Windows\SysWOW64\ping.exeping.exe -f -n 1 www.baidu.com4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2448
-
-
-
C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe"C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe"3⤵
- Executes dropped EXE
PID:4132
-
-
C:\Windows\SysWOW64\com\lsass.exe^c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Indicator Removal: Clear Persistence
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1204 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F4⤵
- System Location Discovery: System Language Discovery
PID:1944
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F4⤵
- System Location Discovery: System Language Discovery
PID:5084
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F4⤵
- System Location Discovery: System Language Discovery
PID:1120
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F4⤵
- System Location Discovery: System Language Discovery
PID:4092
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F4⤵
- System Location Discovery: System Language Discovery
PID:4992
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F4⤵
- System Location Discovery: System Language Discovery
PID:2024
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok4⤵
- System Location Discovery: System Language Discovery
PID:4780
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3116
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Indicator Removal
2Clear Persistence
1File Deletion
1Modify Registry
1Discovery
Peripheral Device Discovery
1Query Registry
2Remote System Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD58e336906e90cb3558fb9704d0921e27a
SHA159ad8af4982e287954ecf0afaa2f28bc1ba578bc
SHA2567c9b6f4a222d9b110ff7abecd2cd9ae7d4a7c8229e5c8b5a39da007127735897
SHA5120a6a13daccd9f149ef5417d87ff0d9dee0564fe42dcb2cd61782dc5af744e218f68c04ed2705eba8ab3c2867af81ad487f58efe3d620cd30c433e0d382efed24
-
Filesize
404KB
MD57f85f00af073eeaba1e19077285ae933
SHA18ab10781d4965f97ba6fba83f651aa63b547168a
SHA256e71216b9f84d5dd86e752c2ff501080f3ac49a76ceba7258635599b690c0c984
SHA512e05ee6247bf1074166cecaa6254e12ecf278dd0156871803982d6541c0f55dfa06479bd2660c7ef7beb4e1a31a0d5612be7fba8c417e9bfc86e2da13460befd6
-
Filesize
80KB
MD54c17312e44a4000a782a5c71b04b5faa
SHA147c4c0f3b80f809957ddff48b28211d992f3e9f5
SHA256a059aa3b5462a3d602fe29590dd8ca78fbb9e90f3402a3e41e2688d08d552341
SHA5128ea955e5cdb2ba2cac15018a82b270f3eabce3d311123fc5e39c7b5f3606782a56811086ca4bb10196e9664df88c8d1609fa3bc259cf7dee0fb1ce70cc5a0c14
-
Filesize
44KB
MD5d3777f588e34bbc50a1c08d472b94a83
SHA1abcbccde250c3a142347efc32c5a89869ead61f4
SHA2560b10b6bdf21f31107be9140d4e8c1120c60e057421aee2a17b4b674f2b7d2b0b
SHA5128701d268b2ea969bf4a21a13f6898d6ff21752f51bb1cbe24017422f5835a4ec5423c398f0593226affa3a2e353ff2fc30c6ec239bcc4bc3e7b09dd3f42b67cc
-
Filesize
21KB
MD5ecc52a71f452d05a30b9b521d8ed9025
SHA1fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e
SHA256f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0
SHA512d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f
-
Filesize
23KB
MD5c08ba4c0a84a6d5dbd2f8c99ecfe7116
SHA1a031a2147851c856eff0161a266e33410aa94604
SHA2567ee24ac81046fc2e214423d816b9f805992a4aa2d9a3f9567699142e69bc863f
SHA512ddd4da03ef846c8addd3e7168c08c3ce8d354c5d82e4dd94903e918338745f5f8ec47cb6688df482e0afd68f28c4fbd2e48a3d2cae52f145cc451a77532d7f01
-
Filesize
243KB
MD51cf46cbf40ec16bef528ebc2fd7f03dc
SHA154069df6e6d11b93dca22d8461b9588302f912c6
SHA256d2694a4d43613b3f304a23502249e29cb6746cddae79b5a667b5b319c1ae5dbf
SHA512fecce695232c69ff961239f42c9637d2990ba3bbd5fc9d5709eed153e33a66d2caff05f782d5d9afd84957bb1828ea53e683e78ef4c99b382ea335d15eec2dea