Analysis Overview
SHA256
debc992881ed63f6c7fcb5c39e7cb69c26ec9735c4a9bb6febbfe8c9d0d818d5
Threat Level: Known bad
The file 819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
Modifies visiblity of hidden/system files in Explorer
Adds policy Run key to start application
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Impair Defenses: Safe Mode Boot
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Modifies registry key
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 04:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 04:23
Reported
2024-10-31 04:31
Platform
win7-20240708-en
Max time kernel
121s
Max time network
119s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\windows\hosts.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\windows\hosts.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\NNYJZAHP = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\NNYJZAHP = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\NNYJZAHP = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Windows\SysWOW64\REG.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\windows\hosts.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\windows\W_X_C.vbs | C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe | N/A |
| File created | \??\c:\windows\W_X_C.bat | C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\windows\hosts.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\REG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\windows\hosts.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\windows\hosts.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\REG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\REG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\REG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\REG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\windows\hosts.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\REG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\REG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\REG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\REG.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe"
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
Network
Files
C:\Users\Admin\AppData\Local\Temp\avscan.exe
| MD5 | 6affc08c4cc74775a7bd9e2fdca55ee0 |
| SHA1 | 533445d44d179a3e9e10666e5c91afdb002d7384 |
| SHA256 | 01834cd5fcb17cc2d02d34c9299fda3dcaee13f2c46769ecea405bbd784a2ac9 |
| SHA512 | 02854605877d1e2161d87bba95e1db8a3aef229d9176a31dbdb49a56857057b7ec6091417661408dbf2cbb801d712a4cbe496b6a146a10c146ccbc2fb45c4876 |
C:\Windows\hosts.exe
| MD5 | 0113d3bfd3ef111307acbde36b22ad1f |
| SHA1 | 08cd63fbc51e5b37ef3efbca87a3b4668cc421f0 |
| SHA256 | 8891f846340760ce99882b7877d867c91dfb0f3077c7d28245d09541328e14bd |
| SHA512 | 47203c016e49d8b302317f019ed81249ae02799ff9c533e1d3da3e6f669eb7c17224a34b274374b3b133b897b55a9f05288b7dfed4a8879f2550c1f2981b8a81 |
\??\c:\windows\W_X_C.bat
| MD5 | 4db9f8b6175722b62ececeeeba1ce307 |
| SHA1 | 3b3ba8414706e72a6fa19e884a97b87609e11e47 |
| SHA256 | d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78 |
| SHA512 | 1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b |
memory/2760-61-0x00000000024B0000-0x00000000025B0000-memory.dmp
C:\Windows\W_X_C.vbs
| MD5 | e1551d79cbac725a6adfcbb4290820bb |
| SHA1 | d66b66449fceeaa6715bea11a69986fe2ea0483f |
| SHA256 | c7619c996c4bb083af1901d74b765b5058b4b0268d772c5f58c8215987734113 |
| SHA512 | e85b74bd0e11ef737753e323a6f6a587da48feda162c87d048840c58721a6ef1be6462fa3a2e855c6a846ba45da7280b134935dbbf246807f0b662352bded0df |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | 3acf4594268b3692d899f15ecc821d08 |
| SHA1 | b6d04bdc23ef556b709ceb3e231083303b9232a9 |
| SHA256 | d7d2115cd7724aca7b40554f8e58ab3786bc3d7f3093c3c8108bf98dcd073dd0 |
| SHA512 | 8b15dfdc6436a071f86cd6f71ace9bd9829fbe5b8818479cfcafd6bd87675c07b9bb7ef9267a6c44ed1a7bf0a9162f297e1ca2a3a5efeaaa2397ab126391a49a |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | 2b673985aae3c7a8fe4927404966a84f |
| SHA1 | 349e97ebee31aafb8046dd37ef2cf4812c36ce48 |
| SHA256 | 723acfa9240ad38d92792afe7cc526ffa242f49d69724a64573a23ad823d4867 |
| SHA512 | 13eaee9884bd08f467944c0c18bc0080eb53f5d74f08272f650ffd08a7abe8c8f8b2ce904abc26c000e2557b6e53bbf004d774a0ca5a6e0bbc625d64a6a38596 |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | 20e177c2d59e823eedee317eab5291ef |
| SHA1 | 6b1bd74fa53e2210d49c235c8fa4a58241dee962 |
| SHA256 | b5a656be042dc297c73cd2b1edee0aa833d04e45a73e0a624d6649691a3ff66f |
| SHA512 | e5efea0a6afaf3fd48539bb15c5667e1c36dfa10df62140cb79c84ac0f799645d1d9edb5b23ee158d389fc92d6b781781c14332704c75c9fccaec936db64df43 |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | 950528c44009d2b635e960660b6cb20b |
| SHA1 | d2ab938041e2b99a0a7002d9b5ee145553389a57 |
| SHA256 | 08b4fdec80b523dc5dab2d07f49b105555b4571ebdc7dad0828241ee4b3bd74e |
| SHA512 | ac268f4402022e0592db7a090c2dcc349a299456b3e5bbd5173d531578d877083d49c0a64a37ae09ebfa979ba4936d265f62f387452fc9661153d31f2eec2051 |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | 124c4f5fb578efcdd0c711c7b04256ff |
| SHA1 | 1b474e1514aa703161a93bda2a80840a42d6d6dc |
| SHA256 | debc471babe633232c8427c12a7a2f532639fd83ab4922e1937065a4b50260a5 |
| SHA512 | f4861da8cb13c249050de37525ccc8376ef21f285be7eec3e28728ba666217f351d17f8bd99ff7474cd711f28e9fb3462672b92e269f70bd26ebb523cb0721ee |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | c1571d11eb250671a536738c4aa78965 |
| SHA1 | bf6b1ff64c7da031dd54da639c8389ace3f224ce |
| SHA256 | 5e08375748cacf62f247e535b4e5a8e5bd63a23e5bf44d45f0cfa3fe61dfdc88 |
| SHA512 | 7294e890c6db022453d130aef99c66ca81c9bcdd340370e378214b4fad26014c18de2df42bf48dd23bdb66f9739600c10fffd20d93e18f794939757c4d9c6690 |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | 9053e2a2773e1573ffdcb5f795e80ff2 |
| SHA1 | 69bf0208d0dc7f47fe51485fce6e25a08015fbc2 |
| SHA256 | 44154bb54f8fbee6b9e471a1a4430d75a2c96f4b2103e8ff83eecd57c6b58fc1 |
| SHA512 | 048287d4ba834d32408b4807221896d68378ef535db5a6c906af28a1ebdf0e071a2e8577bbc0575df8304553f503deccd3471a9b536d3475697629c51849194e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 04:23
Reported
2024-10-31 04:30
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\windows\hosts.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\windows\hosts.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HGNBWBGW = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HGNBWBGW = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HGNBWBGW = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Windows\SysWOW64\REG.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\windows\hosts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\hosts.exe | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\windows\hosts.exe | N/A |
| File created | C:\windows\W_X_C.vbs | C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe | N/A |
| File created | \??\c:\windows\W_X_C.bat | C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\REG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\REG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\windows\hosts.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\windows\hosts.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\REG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\REG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\REG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\REG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\windows\hosts.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\REG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\REG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\REG.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe"
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\avscan.exe
| MD5 | b5436bb6df903f83779bedd3c168595a |
| SHA1 | 3fae3dc913f5247bafda3892587a63a4d0ea9815 |
| SHA256 | 6c39ffa70d9994088d17894aa3f931e44b8a6815953d12058715c1aa93ea5580 |
| SHA512 | f20dd032a08a33e24630332347ae34c7eb76f3baa75995f0d7205d9070bacb3a4aa5e9b7412b9c95fe59815938548e311fe3eeffc5ed6d026a8b7cb21a98bdfd |
C:\Windows\hosts.exe
| MD5 | 56b2092fc836b2997bdf4830b2864a0f |
| SHA1 | 69d73c28c4af5ad1dcd969523551ca1a10c1c955 |
| SHA256 | b7ba6ca378593295ed8cdf0e2c8421b09cf47cceac8d32340666a8d46db8985b |
| SHA512 | 06ff9537e05050aea59accad658cf35c35a586bdf79c3ee814086c1de6e8e89aff220be4988c21cba5edf961364149b90aa02bc89545dadfbf0c0bfeb89197b7 |
\??\c:\windows\W_X_C.bat
| MD5 | 4db9f8b6175722b62ececeeeba1ce307 |
| SHA1 | 3b3ba8414706e72a6fa19e884a97b87609e11e47 |
| SHA256 | d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78 |
| SHA512 | 1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b |
C:\Windows\W_X_C.vbs
| MD5 | e1ad4129d5dc3012106832f1cbc4eac9 |
| SHA1 | 7c205558c728906c8dcaa5843cd401460ef1ef20 |
| SHA256 | 8197453abdc45c9231e84c5cb41001774165fdf9b884b46e5219ee620c231988 |
| SHA512 | ec8848d95654cb3679d74cb8168a46db69dec2963a56c5165ba4f196a6fc8a90cfc7c3adae2294ad0f0721a5e263d3d3aba0bb680efa1928ba55638dad77dcc1 |