Analysis Overview
SHA256
e71216b9f84d5dd86e752c2ff501080f3ac49a76ceba7258635599b690c0c984
Threat Level: Likely malicious
The file 7f85f00af073eeaba1e19077285ae933_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Event Triggered Execution: Image File Execution Options Injection
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
ACProtect 1.3x - 1.4x DLL software
Adds Run key to start application
Enumerates connected drives
Indicator Removal: Clear Persistence
Indicator Removal: File Deletion
Checks for any installed AV software in registry
Checks whether UAC is enabled
Drops autorun.inf file
UPX packed file
Drops file in System32 directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-30 14:19
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-30 14:19
Reported
2024-10-30 14:21
Platform
win7-20240708-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Windows\SysWOW64\com\smss.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| N/A | N/A | C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| File opened (read-only) | \??\E: | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Windows\SysWOW64\com\smss.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
Indicator Removal: File Deletion
Drops autorun.inf file
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\00302.log | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\lsass.exe | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| File created | C:\Windows\SysWOW64\00302.log | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\smss.exe | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\smss.exe | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\smss.exe | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\smss.exe | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\netcfg.000 | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\00302.log | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\com\smss.exe | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\com\lsass.exe | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| File created | C:\Windows\SysWOW64\com\smss.exe | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\netcfg.dll | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\com\netcfg.000 | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dnsq.dll | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\dnsq.dll | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\bak | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\com\smss.exe | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| File created | C:\Windows\SysWOW64\00302.log | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\lsass.exe | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\com\netcfg.dll | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\com\lsass.exe | C:\Windows\SysWOW64\com\lsass.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\com\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ping.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ping.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe"
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe^|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
\??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
"c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log"
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~^|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe
C:\Windows\SysWOW64\com\lsass.exe
"C:\Windows\system32\com\lsass.exe"
C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe
"C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe"
C:\Windows\SysWOW64\com\lsass.exe
^c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|C:\pagefile.pif"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|C:\pagefile.pif
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|D:\pagefile.pif"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|D:\pagefile.pif
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|E:\pagefile.pif"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|E:\pagefile.pif
C:\Windows\SysWOW64\com\smss.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|D:\pagefile.pif"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|D:\pagefile.pif
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
C:\Windows\SysWOW64\ping.exe
ping.exe -f -n 1 www.baidu.com
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| US | 8.8.8.8:53 | js.k0102.com | udp |
| DE | 185.53.179.173:80 | js.k0102.com | tcp |
| US | 8.8.8.8:53 | d38psrni17bvxu.cloudfront.net | udp |
| NL | 18.239.102.108:80 | d38psrni17bvxu.cloudfront.net | tcp |
| US | 8.8.8.8:53 | ifdnzact.com | udp |
| US | 208.91.196.46:80 | ifdnzact.com | tcp |
| US | 208.91.196.46:80 | ifdnzact.com | tcp |
| US | 8.8.8.8:53 | i4.cdn-image.com | udp |
| US | 208.91.196.253:80 | i4.cdn-image.com | tcp |
| US | 208.91.196.253:80 | i4.cdn-image.com | tcp |
Files
memory/1780-0-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\com\smss.exe
| MD5 | ecc52a71f452d05a30b9b521d8ed9025 |
| SHA1 | fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e |
| SHA256 | f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0 |
| SHA512 | d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f |
memory/2704-8-0x0000000000160000-0x000000000016F000-memory.dmp
memory/2852-12-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2704-10-0x0000000000160000-0x000000000016F000-memory.dmp
memory/2852-15-0x0000000000400000-0x000000000040F000-memory.dmp
memory/1780-23-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2908-22-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1780-21-0x0000000002DE0000-0x0000000002E10000-memory.dmp
memory/1780-20-0x0000000002DE0000-0x0000000002E10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
| MD5 | 7f85f00af073eeaba1e19077285ae933 |
| SHA1 | 8ab10781d4965f97ba6fba83f651aa63b547168a |
| SHA256 | e71216b9f84d5dd86e752c2ff501080f3ac49a76ceba7258635599b690c0c984 |
| SHA512 | e05ee6247bf1074166cecaa6254e12ecf278dd0156871803982d6541c0f55dfa06479bd2660c7ef7beb4e1a31a0d5612be7fba8c417e9bfc86e2da13460befd6 |
memory/2892-35-0x0000000000400000-0x000000000040F000-memory.dmp
\??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~
| MD5 | 1cf46cbf40ec16bef528ebc2fd7f03dc |
| SHA1 | 54069df6e6d11b93dca22d8461b9588302f912c6 |
| SHA256 | d2694a4d43613b3f304a23502249e29cb6746cddae79b5a667b5b319c1ae5dbf |
| SHA512 | fecce695232c69ff961239f42c9637d2990ba3bbd5fc9d5709eed153e33a66d2caff05f782d5d9afd84957bb1828ea53e683e78ef4c99b382ea335d15eec2dea |
\Windows\SysWOW64\com\lsass.exe
| MD5 | 4c17312e44a4000a782a5c71b04b5faa |
| SHA1 | 47c4c0f3b80f809957ddff48b28211d992f3e9f5 |
| SHA256 | a059aa3b5462a3d602fe29590dd8ca78fbb9e90f3402a3e41e2688d08d552341 |
| SHA512 | 8ea955e5cdb2ba2cac15018a82b270f3eabce3d311123fc5e39c7b5f3606782a56811086ca4bb10196e9664df88c8d1609fa3bc259cf7dee0fb1ce70cc5a0c14 |
memory/2908-44-0x0000000002CB0000-0x0000000002CE0000-memory.dmp
memory/308-45-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2040-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\NetApi00.sys
| MD5 | 8e336906e90cb3558fb9704d0921e27a |
| SHA1 | 59ad8af4982e287954ecf0afaa2f28bc1ba578bc |
| SHA256 | 7c9b6f4a222d9b110ff7abecd2cd9ae7d4a7c8229e5c8b5a39da007127735897 |
| SHA512 | 0a6a13daccd9f149ef5417d87ff0d9dee0564fe42dcb2cd61782dc5af744e218f68c04ed2705eba8ab3c2867af81ad487f58efe3d620cd30c433e0d382efed24 |
memory/2908-57-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2040-69-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\com\netcfg.000
| MD5 | d3777f588e34bbc50a1c08d472b94a83 |
| SHA1 | abcbccde250c3a142347efc32c5a89869ead61f4 |
| SHA256 | 0b10b6bdf21f31107be9140d4e8c1120c60e057421aee2a17b4b674f2b7d2b0b |
| SHA512 | 8701d268b2ea969bf4a21a13f6898d6ff21752f51bb1cbe24017422f5835a4ec5423c398f0593226affa3a2e353ff2fc30c6ec239bcc4bc3e7b09dd3f42b67cc |
\Windows\SysWOW64\dnsq.dll
| MD5 | c08ba4c0a84a6d5dbd2f8c99ecfe7116 |
| SHA1 | a031a2147851c856eff0161a266e33410aa94604 |
| SHA256 | 7ee24ac81046fc2e214423d816b9f805992a4aa2d9a3f9567699142e69bc863f |
| SHA512 | ddd4da03ef846c8addd3e7168c08c3ce8d354c5d82e4dd94903e918338745f5f8ec47cb6688df482e0afd68f28c4fbd2e48a3d2cae52f145cc451a77532d7f01 |
memory/308-82-0x0000000010000000-0x0000000010012000-memory.dmp
memory/2032-86-0x00000000000B0000-0x00000000000BF000-memory.dmp
memory/2032-88-0x00000000000B0000-0x00000000000BF000-memory.dmp
memory/2352-92-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2712-100-0x0000000000400000-0x000000000040F000-memory.dmp
memory/308-99-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2720-101-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2216-104-0x0000000000120000-0x000000000012F000-memory.dmp
memory/308-103-0x0000000010000000-0x0000000010012000-memory.dmp
memory/2216-106-0x0000000000120000-0x000000000012F000-memory.dmp
memory/2508-109-0x0000000000400000-0x000000000040F000-memory.dmp
memory/308-112-0x0000000000540000-0x000000000054F000-memory.dmp
memory/2696-116-0x0000000010000000-0x0000000010012000-memory.dmp
memory/308-117-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2636-121-0x0000000000400000-0x000000000040F000-memory.dmp
memory/308-123-0x0000000000540000-0x000000000054F000-memory.dmp
memory/2552-124-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2696-125-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2696-126-0x0000000010000000-0x0000000010012000-memory.dmp
memory/308-129-0x0000000000400000-0x0000000000430000-memory.dmp
memory/308-133-0x0000000000400000-0x0000000000430000-memory.dmp
memory/308-137-0x0000000000400000-0x0000000000430000-memory.dmp
memory/308-141-0x0000000000400000-0x0000000000430000-memory.dmp
memory/308-145-0x0000000000400000-0x0000000000430000-memory.dmp
memory/308-149-0x0000000000400000-0x0000000000430000-memory.dmp
memory/308-153-0x0000000000400000-0x0000000000430000-memory.dmp
memory/308-157-0x0000000000400000-0x0000000000430000-memory.dmp
memory/308-161-0x0000000000400000-0x0000000000430000-memory.dmp
memory/308-165-0x0000000000400000-0x0000000000430000-memory.dmp
memory/308-169-0x0000000000400000-0x0000000000430000-memory.dmp
memory/308-177-0x0000000000400000-0x0000000000430000-memory.dmp
memory/308-181-0x0000000000400000-0x0000000000430000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-30 14:19
Reported
2024-10-30 14:21
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Windows\SysWOW64\com\smss.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| N/A | N/A | C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| File opened (read-only) | \??\E: | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Windows\SysWOW64\com\smss.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Indicator Removal: File Deletion
Drops autorun.inf file
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\com\lsass.exe | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| File created | C:\Windows\SysWOW64\com\netcfg.dll | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\dnsq.dll | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\com\netcfg.000 | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dnsq.dll | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\bak | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\smss.exe | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\smss.exe | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\lsass.exe | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\lsass.exe | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\netcfg.dll | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\com\lsass.exe | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\00302.log | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| File created | C:\Windows\SysWOW64\00302.log | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\com\smss.exe | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\netcfg.000 | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\smss.exe | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\00302.log | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\com\smss.exe | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\00302.log | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\smss.exe | C:\Windows\SysWOW64\com\lsass.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\com\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\com\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ping.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1\ = "131473" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ping.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe"
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe^|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
\??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
"c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log"
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~^|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe
C:\Windows\SysWOW64\com\lsass.exe
"C:\Windows\system32\com\lsass.exe"
C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe
"C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe"
C:\Windows\SysWOW64\com\lsass.exe
^c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|C:\pagefile.pif"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|C:\pagefile.pif
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|D:\pagefile.pif"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|D:\pagefile.pif
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|E:\pagefile.pif"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|E:\pagefile.pif
C:\Windows\SysWOW64\com\smss.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
C:\Windows\SysWOW64\ping.exe
ping.exe -f -n 1 www.baidu.com
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | js.k0102.com | udp |
| DE | 185.53.179.173:80 | js.k0102.com | tcp |
| US | 8.8.8.8:53 | d38psrni17bvxu.cloudfront.net | udp |
| NL | 18.239.102.197:80 | d38psrni17bvxu.cloudfront.net | tcp |
| US | 8.8.8.8:53 | ifdnzact.com | udp |
| US | 208.91.196.46:80 | ifdnzact.com | tcp |
| US | 8.8.8.8:53 | 173.179.53.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.102.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.196.91.208.in-addr.arpa | udp |
Files
memory/1064-0-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\Com\smss.exe
| MD5 | ecc52a71f452d05a30b9b521d8ed9025 |
| SHA1 | fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e |
| SHA256 | f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0 |
| SHA512 | d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f |
memory/2268-8-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2268-11-0x0000000000400000-0x000000000040F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
| MD5 | 7f85f00af073eeaba1e19077285ae933 |
| SHA1 | 8ab10781d4965f97ba6fba83f651aa63b547168a |
| SHA256 | e71216b9f84d5dd86e752c2ff501080f3ac49a76ceba7258635599b690c0c984 |
| SHA512 | e05ee6247bf1074166cecaa6254e12ecf278dd0156871803982d6541c0f55dfa06479bd2660c7ef7beb4e1a31a0d5612be7fba8c417e9bfc86e2da13460befd6 |
memory/1064-15-0x0000000000400000-0x0000000000430000-memory.dmp
\??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~
| MD5 | 1cf46cbf40ec16bef528ebc2fd7f03dc |
| SHA1 | 54069df6e6d11b93dca22d8461b9588302f912c6 |
| SHA256 | d2694a4d43613b3f304a23502249e29cb6746cddae79b5a667b5b319c1ae5dbf |
| SHA512 | fecce695232c69ff961239f42c9637d2990ba3bbd5fc9d5709eed153e33a66d2caff05f782d5d9afd84957bb1828ea53e683e78ef4c99b382ea335d15eec2dea |
memory/3984-27-0x0000000000400000-0x000000000040F000-memory.dmp
C:\Windows\SysWOW64\Com\lsass.exe
| MD5 | 4c17312e44a4000a782a5c71b04b5faa |
| SHA1 | 47c4c0f3b80f809957ddff48b28211d992f3e9f5 |
| SHA256 | a059aa3b5462a3d602fe29590dd8ca78fbb9e90f3402a3e41e2688d08d552341 |
| SHA512 | 8ea955e5cdb2ba2cac15018a82b270f3eabce3d311123fc5e39c7b5f3606782a56811086ca4bb10196e9664df88c8d1609fa3bc259cf7dee0fb1ce70cc5a0c14 |
memory/1716-31-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2900-35-0x0000000000400000-0x0000000000430000-memory.dmp
C:\NetApi00.sys
| MD5 | 8e336906e90cb3558fb9704d0921e27a |
| SHA1 | 59ad8af4982e287954ecf0afaa2f28bc1ba578bc |
| SHA256 | 7c9b6f4a222d9b110ff7abecd2cd9ae7d4a7c8229e5c8b5a39da007127735897 |
| SHA512 | 0a6a13daccd9f149ef5417d87ff0d9dee0564fe42dcb2cd61782dc5af744e218f68c04ed2705eba8ab3c2867af81ad487f58efe3d620cd30c433e0d382efed24 |
memory/1204-46-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\Com\netcfg.000
| MD5 | d3777f588e34bbc50a1c08d472b94a83 |
| SHA1 | abcbccde250c3a142347efc32c5a89869ead61f4 |
| SHA256 | 0b10b6bdf21f31107be9140d4e8c1120c60e057421aee2a17b4b674f2b7d2b0b |
| SHA512 | 8701d268b2ea969bf4a21a13f6898d6ff21752f51bb1cbe24017422f5835a4ec5423c398f0593226affa3a2e353ff2fc30c6ec239bcc4bc3e7b09dd3f42b67cc |
C:\Windows\SysWOW64\dnsq.dll
| MD5 | c08ba4c0a84a6d5dbd2f8c99ecfe7116 |
| SHA1 | a031a2147851c856eff0161a266e33410aa94604 |
| SHA256 | 7ee24ac81046fc2e214423d816b9f805992a4aa2d9a3f9567699142e69bc863f |
| SHA512 | ddd4da03ef846c8addd3e7168c08c3ce8d354c5d82e4dd94903e918338745f5f8ec47cb6688df482e0afd68f28c4fbd2e48a3d2cae52f145cc451a77532d7f01 |
memory/1716-59-0x0000000010000000-0x0000000010012000-memory.dmp
memory/5020-68-0x0000000000400000-0x000000000040F000-memory.dmp
memory/3724-71-0x0000000000400000-0x000000000040F000-memory.dmp
memory/3428-73-0x0000000000400000-0x000000000040F000-memory.dmp
memory/1716-74-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1716-78-0x0000000010000000-0x0000000010012000-memory.dmp
memory/1716-79-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3312-81-0x0000000000400000-0x000000000040F000-memory.dmp
memory/3312-83-0x0000000010000000-0x0000000010012000-memory.dmp
memory/1716-84-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1716-88-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1716-92-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1716-96-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1716-100-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1716-104-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1716-108-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1716-112-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1716-116-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1716-120-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1716-124-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1716-132-0x0000000000400000-0x0000000000430000-memory.dmp