Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 05:29
Behavioral task
behavioral1
Sample
81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe
-
Size
834KB
-
MD5
81c9f59d59f47adb56dcd644fe8ad3c2
-
SHA1
b531fd2e38e70b3f0affb73f127cb62a0fc32ca6
-
SHA256
ec454237d6fe71ad3987df75978e44ae5bc4cb08687358a1f27a4b88c221e9a5
-
SHA512
c893784f3b08553665470d375647b2a50de9ca3b8bbdba039624589d393772cba4b1ae65710c9f319408edf3301c1e8577503511c26a38ae3ebb814db665a05b
-
SSDEEP
24576:3L+m21/oacr6VdrPy37WzH0A6u/cwtHbiUxZbciKY2a:bjk/oacSrPy37WzH0A6uUyH3dHKY2a
Malware Config
Signatures
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options lsass.exe -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000b0000000164b1-62.dat acprotect behavioral1/files/0x0007000000016cd7-71.dat acprotect -
Executes dropped EXE 10 IoCs
pid Process 2968 smss.exe 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 2336 smss.exe 2320 lsass.exe 2044 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe 1728 lsass.exe 2524 smss.exe 1796 smss.exe 2404 smss.exe 576 smss.exe -
Loads dropped DLL 26 IoCs
pid Process 2380 cmd.exe 2380 cmd.exe 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 2760 cmd.exe 2760 cmd.exe 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 2044 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe 2044 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe 2044 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe 2320 lsass.exe 2320 lsass.exe 2320 lsass.exe 632 regsvr32.exe 2524 smss.exe 2044 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe 2216 cmd.exe 2216 cmd.exe 2564 cmd.exe 2564 cmd.exe 780 cmd.exe 780 cmd.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe -
Checks for any installed AV software in registry 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService lsass.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\e: lsass.exe -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options lsass.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\AUTORUN.INF lsass.exe File opened for modification D:\AUTORUN.INF lsass.exe File opened for modification \??\E:\AUTORUN.INF lsass.exe File created C:\AUTORUN.INF lsass.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\com\bak lsass.exe File created C:\Windows\SysWOW64\com\smss.exe 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe File created C:\Windows\SysWOW64\com\smss.exe 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log File created C:\Windows\SysWOW64\com\netcfg.dll lsass.exe File opened for modification \??\c:\windows\SysWOW64\com\lsass.exe lsass.exe File created C:\Windows\SysWOW64\com\lsass.exe lsass.exe File opened for modification C:\Windows\SysWOW64\com\smss.exe 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\com\netcfg.dll lsass.exe File opened for modification C:\Windows\SysWOW64\259439006.log lsass.exe File created C:\Windows\SysWOW64\dnsq.dll lsass.exe File opened for modification C:\Windows\SysWOW64\com\smss.exe 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log File created C:\Windows\SysWOW64\259439006.log lsass.exe File opened for modification C:\Windows\SysWOW64\com\lsass.exe 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log File created C:\Windows\SysWOW64\com\lsass.exe 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log File created C:\Windows\SysWOW64\00302.log lsass.exe File opened for modification C:\Windows\SysWOW64\com\smss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\com\lsass.exe lsass.exe File opened for modification C:\Windows\SysWOW64\com\netcfg.000 lsass.exe File created C:\Windows\SysWOW64\00302.log 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe File created C:\Windows\SysWOW64\00302.log 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log File created C:\Windows\SysWOW64\com\netcfg.000 lsass.exe File opened for modification C:\Windows\SysWOW64\dnsq.dll lsass.exe -
resource yara_rule behavioral1/memory/2312-0-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/files/0x0009000000016875-11.dat upx behavioral1/memory/2312-15-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/2420-28-0x0000000002F40000-0x0000000002F6C000-memory.dmp upx behavioral1/files/0x0009000000016b47-27.dat upx behavioral1/memory/2320-36-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/2420-47-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/1728-51-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/files/0x000b0000000164b1-62.dat upx behavioral1/files/0x0007000000016cd7-71.dat upx behavioral1/memory/2320-72-0x0000000010000000-0x0000000010018000-memory.dmp upx behavioral1/memory/632-83-0x0000000010000000-0x0000000010010000-memory.dmp upx behavioral1/memory/2320-95-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/2044-100-0x0000000010000000-0x0000000010018000-memory.dmp upx behavioral1/memory/2320-104-0x0000000010000000-0x0000000010018000-memory.dmp upx behavioral1/memory/2320-105-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/2524-107-0x0000000010000000-0x0000000010018000-memory.dmp upx behavioral1/memory/2320-109-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/2320-112-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/2320-115-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/2320-118-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/2320-121-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/2320-124-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/2320-127-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/2320-130-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/2320-133-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/2320-136-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/2320-139-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/2320-147-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/2320-150-0x0000000000400000-0x000000000042C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 35 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2696 ping.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main lsass.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} regsvr32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2696 ping.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 2320 lsass.exe -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 476 Process not Found 476 Process not Found 476 Process not Found -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe Token: SeDebugPrivilege 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log Token: SeDebugPrivilege 2320 lsass.exe Token: 33 1576 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1576 AUDIODG.EXE Token: 33 1576 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1576 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 2320 lsass.exe 2320 lsass.exe 2320 lsass.exe 2320 lsass.exe 1728 lsass.exe 1728 lsass.exe 1728 lsass.exe 1728 lsass.exe 2320 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2312 wrote to memory of 1532 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 30 PID 2312 wrote to memory of 1532 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 30 PID 2312 wrote to memory of 1532 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 30 PID 2312 wrote to memory of 1532 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 30 PID 2312 wrote to memory of 2596 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 32 PID 2312 wrote to memory of 2596 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 32 PID 2312 wrote to memory of 2596 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 32 PID 2312 wrote to memory of 2596 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 32 PID 2312 wrote to memory of 2052 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 34 PID 2312 wrote to memory of 2052 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 34 PID 2312 wrote to memory of 2052 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 34 PID 2312 wrote to memory of 2052 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 34 PID 2312 wrote to memory of 2380 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 36 PID 2312 wrote to memory of 2380 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 36 PID 2312 wrote to memory of 2380 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 36 PID 2312 wrote to memory of 2380 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 36 PID 2380 wrote to memory of 2968 2380 cmd.exe 38 PID 2380 wrote to memory of 2968 2380 cmd.exe 38 PID 2380 wrote to memory of 2968 2380 cmd.exe 38 PID 2380 wrote to memory of 2968 2380 cmd.exe 38 PID 2312 wrote to memory of 2420 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 39 PID 2312 wrote to memory of 2420 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 39 PID 2312 wrote to memory of 2420 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 39 PID 2312 wrote to memory of 2420 2312 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe 39 PID 2420 wrote to memory of 2932 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 40 PID 2420 wrote to memory of 2932 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 40 PID 2420 wrote to memory of 2932 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 40 PID 2420 wrote to memory of 2932 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 40 PID 2420 wrote to memory of 2828 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 42 PID 2420 wrote to memory of 2828 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 42 PID 2420 wrote to memory of 2828 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 42 PID 2420 wrote to memory of 2828 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 42 PID 2420 wrote to memory of 2792 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 43 PID 2420 wrote to memory of 2792 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 43 PID 2420 wrote to memory of 2792 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 43 PID 2420 wrote to memory of 2792 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 43 PID 2420 wrote to memory of 2916 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 46 PID 2420 wrote to memory of 2916 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 46 PID 2420 wrote to memory of 2916 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 46 PID 2420 wrote to memory of 2916 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 46 PID 2420 wrote to memory of 1780 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 48 PID 2420 wrote to memory of 1780 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 48 PID 2420 wrote to memory of 1780 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 48 PID 2420 wrote to memory of 1780 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 48 PID 2420 wrote to memory of 2856 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 50 PID 2420 wrote to memory of 2856 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 50 PID 2420 wrote to memory of 2856 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 50 PID 2420 wrote to memory of 2856 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 50 PID 2420 wrote to memory of 2684 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 52 PID 2420 wrote to memory of 2684 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 52 PID 2420 wrote to memory of 2684 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 52 PID 2420 wrote to memory of 2684 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 52 PID 2420 wrote to memory of 2760 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 54 PID 2420 wrote to memory of 2760 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 54 PID 2420 wrote to memory of 2760 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 54 PID 2420 wrote to memory of 2760 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 54 PID 2760 wrote to memory of 2336 2760 cmd.exe 56 PID 2760 wrote to memory of 2336 2760 cmd.exe 56 PID 2760 wrote to memory of 2336 2760 cmd.exe 56 PID 2760 wrote to memory of 2336 2760 cmd.exe 56 PID 2420 wrote to memory of 2320 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 57 PID 2420 wrote to memory of 2320 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 57 PID 2420 wrote to memory of 2320 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 57 PID 2420 wrote to memory of 2320 2420 81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log 57
Processes
-
C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe"1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Indicator Removal: Clear Persistence
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok2⤵
- System Location Discovery: System Language Discovery
PID:1532
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F2⤵
- System Location Discovery: System Language Discovery
PID:2596
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F2⤵
- System Location Discovery: System Language Discovery
PID:2052
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe^|c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\com\smss.exeC:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe|c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log3⤵
- Executes dropped EXE
PID:2968
-
-
-
\??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log"c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log"2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Indicator Removal: Clear Persistence
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok3⤵
- System Location Discovery: System Language Discovery
PID:2932
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F3⤵
- System Location Discovery: System Language Discovery
PID:2828
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F3⤵
- System Location Discovery: System Language Discovery
PID:2792
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F3⤵
- System Location Discovery: System Language Discovery
PID:2916
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F3⤵
- System Location Discovery: System Language Discovery
PID:1780
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2856
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2684
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.~^|c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\com\smss.exeC:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.~|c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe4⤵
- Executes dropped EXE
PID:2336
-
-
-
C:\Windows\SysWOW64\com\lsass.exe"C:\Windows\system32\com\lsass.exe"3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Indicator Removal: Clear Persistence
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2320 -
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok4⤵
- System Location Discovery: System Language Discovery
PID:2440
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F4⤵
- System Location Discovery: System Language Discovery
PID:2120
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F4⤵
- System Location Discovery: System Language Discovery
PID:1560
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F4⤵
- System Location Discovery: System Language Discovery
PID:1516
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F4⤵
- System Location Discovery: System Language Discovery
PID:2184
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F4⤵
- System Location Discovery: System Language Discovery
PID:2864
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F4⤵
- System Location Discovery: System Language Discovery
PID:2788
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1100
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"4⤵
- System Location Discovery: System Language Discovery
PID:796
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:632
-
-
C:\Windows\SysWOW64\com\smss.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2524
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"4⤵
- System Location Discovery: System Language Discovery
PID:1540
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\bak"4⤵
- System Location Discovery: System Language Discovery
PID:992
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|C:\pagefile.pif"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\com\smss.exeC:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|C:\pagefile.pif5⤵
- Executes dropped EXE
PID:1796
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|D:\pagefile.pif"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\com\smss.exeC:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|D:\pagefile.pif5⤵
- Executes dropped EXE
PID:2404
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|E:\pagefile.pif"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:780 -
C:\Windows\SysWOW64\com\smss.exeC:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|E:\pagefile.pif5⤵
- Executes dropped EXE
PID:576
-
-
-
C:\Windows\SysWOW64\ping.exeping.exe -f -n 1 www.baidu.com4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2696
-
-
-
C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe"C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2044
-
-
C:\Windows\SysWOW64\com\lsass.exe^c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1728 -
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok4⤵
- System Location Discovery: System Language Discovery
PID:1928
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5301⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Indicator Removal
2Clear Persistence
1File Deletion
1Modify Registry
2Discovery
Peripheral Device Discovery
1Query Registry
1Remote System Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5116b07e8887181880fad6c1145f8dc58
SHA1e87acb06caa8fca981069e5cf5005cc9c74e5ce7
SHA256454c8307648871a7db0aa79cd2d3e671e1234dcb87f42c593fa841ae9e881cca
SHA5128da5c36dbf296b91f46ebf1d64918a48a59cfe45dee0588f5cc40e6805bd13310ebee39b735a66b7165ac74deb99bcaa2f761eef8678a295eabd17f5437c1cc6
-
Filesize
16KB
MD5f527f2633493d985fb77a348c8e9e723
SHA183a3fbfa3eba9a435399707f7b83eda4b93d69ec
SHA256e2cd4430ae2646e6a9bb5206670623bc6c693da322c7402b5c08e1c1c1de7258
SHA512d2dc84335a2fd1a72b583edfe4bfead2247bef4b116f3419f59441f69590c81a58e453f73a1d0b51c4754fc0dbdbb03490ab03fc865bd3dc825361e0a786aab0
-
Filesize
647KB
MD57b400627a528576c184a8e6ae2567cc0
SHA1dcfa5e31be92429157c74be7e474907bbd75b102
SHA256e31ee78f5c6144ded9f415475facf94575add9c806ec0cac8e2486ae04b82c1a
SHA5125fdc94a4f4728de943e6b542305ffa6a891dcf5e80f167e9d70f0173b25311c401a122f47e286b151b02128a04073979a3cd6ccd09bdab51bcfd6915e7757d8a
-
Filesize
834KB
MD581c9f59d59f47adb56dcd644fe8ad3c2
SHA1b531fd2e38e70b3f0affb73f127cb62a0fc32ca6
SHA256ec454237d6fe71ad3987df75978e44ae5bc4cb08687358a1f27a4b88c221e9a5
SHA512c893784f3b08553665470d375647b2a50de9ca3b8bbdba039624589d393772cba4b1ae65710c9f319408edf3301c1e8577503511c26a38ae3ebb814db665a05b
-
Filesize
93KB
MD5dca33e599ab160c3a70099e428b28e6a
SHA19cc19e802cbceb384697ca83f8fc91b15df097a4
SHA25683ebe1a34e60f5ccbbbbd8d75e0d74e269e23355f50b8d677b0851e8eb0183fd
SHA512bd0d6dd9e5442d61e3576751d6f17ffb7109ff5092d8ac038a4090f443f80f9a20436dd5346e36889e97202436b07828552c1f651d77b24748d1d563117fcdb2
-
Filesize
40KB
MD52c5834f823066354d9e92396ecaca50d
SHA137647491c08aa2ec6d07cf805b0eabd978869f11
SHA256b94c93730d8031b0391e6934f3da705bfca14080238c3070f032ff4cea6b1657
SHA512ac3d1b1b7235e89bf5169822a250710ef61004cdaaf0e1c6c4d766dcf63223630ba81a613f0fed9b467f2c987735ec842eaef3ed53c67d3ff10563e26bc822b7
-
Filesize
31KB
MD546e993717175142dcdffbdd53e30ca9d
SHA1f57d052deb71a4a44aeb9d1efa0d4a9d70f0538e
SHA256c53a1e2142e9d9019021298df808ad7d8378a9545274ef511151407853dd0fd3
SHA5124ea6228beaf4ba09e9908f844a4e7fb1b406e427ae5d5a96bc577d6fab56c4e8672ae40c6af7aa83d8611b3f23b6d2355dd7c69fbada61e716862be78e2d5b3b